Title: iScripts EasyCreate 3.0 Multiple Vulnerabilities
Advisory ID: ZSL-2016-5298
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data, Cross-Site Scripting
Risk: (4/5)
Release Date: 28.01.2016

Summary

iScripts EasyCreate is a private label online website builder. This software allows you to start an online business by offering website building services to your customers. Equipped with drag and drop design functionality, crisp templates and social sharing capabilities, this online website builder software will allow you to provide the best website building features to your users.

Description

iScripts EasyCreate suffers from multiple vulnerabilities including SQL Injection, XSS and CSRF.

Vendor

iScripts.com - http://www.iscripts.com

Affected Version

3.0

Tested On

Apache
MySQL 5.5.40

Vendor Status

[17.11.2015] First contact to vendor.
[08.12.2015] Follow up with vendor. No response received.
[08.12.2015] Ticket Created using online portal (id #010248399110346).
[08.12.2015] Ticket closed by vendor without requesting vulnerability details.
[28.12.2015] Vendor responds asking more details.
[29.12.2015] Sent details to the vendor.
[05.01.2016] Follow up with vendor. No response received.
[14.01.2016] Follow up with vendor. No response received.
[28.01.2016] Public Security advisory released.

PoC

iscripts_mv.txt

Credits

Vulnerability discovered by Bikramaditya Guha - <bik@zeroscience.mk>

References

[1] https://packetstormsecurity.com/files/135512
[2] https://cxsecurity.com/issue/WLB-2016010231
[3] https://www.exploit-db.com/exploits/39386/

Changelog

[28.01.2016] - Initial release
[31.01.2016] - Added reference [1] and [2]
[01.02.2016] - Added reference [3]

Contact

Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk