Thomas Ryan has reported multiple vulnerabilities in AspDotNetStorefront, which can be exploited by malicious people to conduct cross-site scripting attacks, perform certain administrative actions, and upload arbitrary files.

1) User input supplied to the "returnurl" parameter in "signin.aspx" in not sanitised properly before being returned to a user. This can be exploited to execute arbitrary HTML and script code in a user's current browser session in context of an affected site.

Successful exploitation may result in exposure of various information (e.g. cookie-based authentication information) associated with the site running AspDotNetStorefront or inclusion of malicious content, which the user thinks is part of the real website.

Example:
http://[victim]/aspdotnetcart/admin/signin.aspx?returnurl=>"><script>alert(document.domain)</script>

2) Direct access to the administrative script "deleteicon.aspx" is not restricted properly, which can be exploited by anyone to access it and thereby delete arbitrary images by providing a valid ProductID.

3) Missing upload validation in the administrative script "images.aspx" makes it possible to upload files with arbitrary extensions and execute them.

Successful exploitation requires knowledge of an administrative password.

Solution
The vendor has reportedly issued updates, which address the vulnerabilities.
Further details available in Customer Area

Provided and/or discovered by
Thomas Ryan, Provide Security.

Deep Links
Links available in Customer Area