Active Super Shop CMS v2.5 - HTML Injection Vulnerabilities
# Exploit Title: Active Super Shop CMS v2.5 - HTML Injection Vulnerabilities
References (Source): https://www.vulnerability-lab.com/get_content.php?id=2278
Release Date:
2023-07-04
Vulnerability Laboratory ID (VL-ID): 2278
Common Vulnerability Scoring System: 5.4
Product & Service Introduction:
===============================
https://codecanyon.net/item/active-super-shop-multivendor-cms/12124432
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple html injection vulnerabilities in the Active Super Shop Multi-vendor CMS v2.5 web-application.
Affected Product(s):
====================
ActiveITzone
Product: Active Super Shop CMS v2.5 (CMS) (Web-Application)
Vulnerability Disclosure Timeline:
==================================
2021-08-20: Researcher Notification & Coordination (Security Researcher)
2021-08-21: Vendor Notification (Security Department)
2021-**-**: Vendor Response/Feedback (Security Department)
2021-**-**: Vendor Fix/Patch (Service Developer Team)
2021-**-**: Security Acknowledgements (Security Department)
2023-07-05: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Restricted Authentication (User Privileges)
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Responsible Disclosure
Technical Details & Description:
================================
Multiple html injection web vulnerabilities has been discovered in the official Active Super Shop Multi-vendor CMS v2.5 web-application.
The web vulnerability allows remote attackers to inject own html codes with persistent vector to manipulate application content.
The persistent html injection web vulnerabilities are located in the name, phone and address parameters of the manage profile and products branding module.
Remote attackers with privileged accountant access are able to inject own malicious script code in the name parameter to provoke a persistent execution on
profile view or products preview listing. There are 3 different privileges that are allowed to access the backend like the accountant (low privileges), the
manager (medium privileges) or the admin (high privileges). Accountants are able to attack the higher privileged access roles of admins and manager on preview
of the elements in the backend to compromise the application. The request method to inject is post and the attack vector is persistent located on the application-side.
Successful exploitation of the vulnerabilities results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and
persistent manipulation of affected application modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Manage Details
Vulnerable Parameter(s):
[+] name
[+] phone
[+] address
Affected Module(s):
[+] manage profile
[+] products branding
Proof of Concept (PoC):
=======================
The html injection web vulnerabilities can be exploited by remote attackers with privileged accountant access and with low user interaction.
For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue.
Exploitation: Payload
<img src="https://[DOMAIN]/[PATH]/[PICTURE].*">
Vulnerable Source: manage_admin & branding
<div class="tab-pane fade active in" id="" style="border:1px solid #ebebeb; border-radius:4px;">
<div class="panel-heading">
<h3 class="panel-title">Manage Details</h3>
</div>
<form action="https://assm_cms.localhost:8080/shop/admin/manage_admin/update_profile/" class="form-horizontal" method="post" accept-charset="utf-8">
<div class="panel-body">
<div class="form-group">
<label class="col-sm-3 control-label" for="demo-hor-1">Name</label>
<div class="col-sm-6">
<input type="text" name="name" value="Mr. Accountant"><img src="https://MALICIOUS-DOMAIN.com/gfx/logo-header.png">" id="demo-hor-1" class="form-control required">
</div></div>
<div class="form-group">
<label class="col-sm-3 control-label" for="demo-hor-2">Email</label>
<div class="col-sm-6">
<input type="email" name="email" value="accountant@shop.com" id="demo-hor-2" class="form-control required">
</div></div>
<div class="form-group">
<label class="col-sm-3 control-label" for="demo-hor-3">
Phone</label>
<div class="col-sm-6">
<input type="text" name="phone" value="017"><img src="https://MALICIOUS-DOMAIN.com/gfx/logo-header.png">" id="demo-hor-3" class="form-control">
</div></div>
--- PoC Session Logs (POST) ---
https://assm_cms.localhost:8080/shop/admin/manage_admin/update_profile/
Host: assm_cms.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html, */*; q=0.01
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------280242453224137385302547344680
Content-Length: 902
Origin:https://assm_cms.localhost:8080
Connection: keep-alive
Referer:https://assm_cms.localhost:8080/shop/admin/manage_admin/
Cookie: ci_session=5n6fmo5q5gvik6i5hh2b72uonuem9av3; curr=1
-
POST: HTTP/3.0 200 OK
content-type: text/html; charset=UTF-8
ci_session=5n6fmo5q5gvik6i5hh2b72uonuem9av3; path=/; HttpOnly
https://assm_cms.localhost:8080/shop/admin/manage_admin/
Host: assm_cms.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Reference(s):
https://assm_cms.localhost:8080/shop/
https://assm_cms.localhost:8080/shop/admin/
https://assm_cms.localhost:8080/shop/admin/manage_admin/
https://assm_cms.localhost:8080/shop/admin/manage_admin/update_profile/
Solution - Fix & Patch:
=======================
Disallow inseration of html code for input fields like name, adress and phone. Sanitize the content to secure deliver.
Security Risk:
==============
The security risk of the html injection web vulnerabilities in the shopping web-application are estimated as medium.
Credits & Authors:
==================
Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-LabActive Super Shop CMS v2.5 – HTML Injection Vulnerabilities: A Deep Dive into Persistent Web Exploits
Active Super Shop CMS v2.5, a multi-vendor e-commerce platform available on Codecanyon, has recently come under scrutiny due to a series of HTML injection vulnerabilities discovered by the Vulnerability Laboratory team. These flaws, rated at a CSS score of 5.4, represent a medium-severity risk with significant implications for application integrity and user security. Despite being reported in 2021, public disclosure occurred in July 2023, highlighting a prolonged delay in remediation despite responsible disclosure practices.
Understanding HTML Injection in Web Applications
HTML injection is a type of client-side vulnerability where untrusted input is directly rendered in the browser without proper sanitization. Unlike XSS (Cross-Site Scripting), which often involves script execution, HTML injection focuses on manipulating the markup structure of web pages. When exploited, attackers can inject malicious HTML elements—such as <script>, <iframe>, or <form>—that persist across user sessions and affect application functionality.
In the case of Active Super Shop CMS v2.5, the vulnerability manifests in the profile management and product branding modules. Specifically, input fields such as name, phone, and address are not properly validated or escaped before being displayed to users, allowing attackers to inject persistent HTML content.
Attack Vector and Exploitation Techniques
Exploitation occurs via POST requests to backend endpoints responsible for updating user profiles or product metadata. The vulnerability is persistent, meaning the injected content remains stored in the database and is rendered whenever the affected page is accessed—regardless of the user session.
Consider the following example of a malicious payload injected into the name field:
POST /admin/profile/update HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
name=John%20Doe%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&phone=+1234567890&address=123%20Main%20St
This request attempts to inject a script tag into the name field. If the application fails to sanitize the input, the script will be rendered directly in the user interface when the profile is viewed—potentially triggering a client-side alert or redirecting the user to a malicious site.
Real-World Implications and Attack Use Cases
While the immediate impact may appear limited, the real danger lies in the escalation potential due to restricted authentication access. The vulnerability is accessible to users with accountant privileges, a role with lower access rights. However, this low-privilege access enables exploitation of higher-privileged roles (e.g., managers and admins) through content manipulation on preview pages.
Attackers can leverage this to:
- Session hijacking via embedded
<iframe>or<script>that captures session cookies. - Persistent phishing attacks by injecting fake login forms or deceptive content.
- External redirects using
<a href="https://malicious-site.com">to lure users into malicious websites. - Content manipulation to alter branding or product descriptions, undermining trust and integrity.
Technical Breakdown of the Vulnerable Modules
| Vulnerable Parameter | Module | Access Privilege | Attack Vector |
|---|---|---|---|
| name | Manage Profile | Accountant | Persistent HTML Injection |
| phone | Manage Profile | Accountant | Persistent HTML Injection |
| address | Products Branding | Accountant | Persistent HTML Injection |
Each of these fields is processed in a manner that assumes input is benign. No sanitization, encoding, or validation checks are applied, making the application susceptible to content manipulation.
Security Best Practices and Mitigation Strategies
To prevent such vulnerabilities, developers must implement robust input validation and output encoding. Key practices include:
- Sanitization: Strip or escape HTML tags before rendering. Use libraries like
htmlspecialchars()in PHP orDOMPurifyin JavaScript. - Input validation: Enforce strict input patterns (e.g., only alphanumeric for names, phone numbers in format +1234567890).
- Output encoding: Always encode data when displaying it in the browser, especially in dynamic content.
- Role-based access control: Limit editing capabilities based on user roles and enforce audit trails.
Here is a corrected example of safe input handling in PHP:
prepare("INSERT INTO profiles (name, phone, address) VALUES (?, ?, ?)");
$stmt->execute([$name, $phone, $address]);
?>
This code ensures that HTML tags are escaped before storage and that phone numbers are cleaned of non-numeric characters. The use of htmlspecialchars() prevents any malicious script from being rendered, while preg_replace() maintains data integrity.
Why Delayed Remediation Matters
The vulnerability was reported in August 2021 but only disclosed publicly in July 2023. This 2-year gap raises concerns about vendor responsiveness and software maintenance. Even with responsible disclosure, the absence of a timely fix increases the risk of exploitation in live environments.
For users of Active Super Shop CMS v2.5, this underscores the importance of:
- Regular security audits of third-party software.
- Immediate patching when vulnerabilities are disclosed.
- Monitoring for signs of compromise such as unexpected redirects or content changes.
Conclusion
Active Super Shop CMS v2.5’s HTML injection vulnerabilities serve as a stark reminder that even seemingly minor input fields can become high-risk vectors if not properly secured. The persistent nature of the flaw, combined with low-privilege access enabling escalation, makes it a serious concern for e-commerce platforms handling sensitive data.
Developers and administrators must prioritize input sanitization, enforce strict validation, and maintain proactive security monitoring. In today’s threat landscape, neglecting basic security hygiene can lead to significant breaches—regardless of the application’s intended functionality.