Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
CubeCart Input Validation Bugs in 'cart.php' and 'index.php' Permit Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1014984 |
|
SecurityTracker URL: http://securitytracker.com/id/1014984
|
|
CVE Reference:
CVE-2005-3152
(Links to External Site)
|
Updated: Jun 15 2008
|
Original Entry Date: Sep 28 2005
|
Impact:
Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): 3.0.3
|
Description:
Lostmon reported vulnerability in CubeCart. A remote user can conduct cross-site scripting attacks.
The 'cart.php' and 'index.php' scripts do not properly filter HTML code from certain user-supplied input before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the CubeCart software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Some demonstration exploit URLs are provided:
http://[target]/cc3/cart.php?act=reg&redir=L3NpdGUvZGVtby9jYzMvaW5kZXgucGhwP3NlYXJjaFN0cj0lMjIlM0UlM0NzY3JpcHQlM0VhbGVydCUyOCUyOSUzQyUyRnNjcmlwdCUzRSZhbXA7YWN0PXZpZXdDYXQmYW1wO1N1Ym1pdD1Hbw==[XSS-CODE]
http://[target]/cc3/cart.php?act=reg&redir=[XSS-CODE]
http://[target]/cc3/index.php?searchStr=%3D%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&act=viewCat&Submit=Go
http://[target]/cc3/index.php?act=login&redir=L3NpdGUvZGVtby9jYzMvaW5kZXgucGhwP2FjdD12aWV3RG9jJmFtcDtkb2NJZD0x[XSS-CODE]
The vendor was notified on September 24, 2005.
The original advisory is available at:
http://lostmon.blogspot.com/2005/09/
|
Impact:
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the CubeCart software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
|
Solution:
The vendor has issued a fixed version (3.0.3).
|
Vendor URL: www.cubecart.com/site/home/ (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 28 Sep 2005 19:01:13 +0200
Subject: =?WINDOWS-1252?Q?CubeCart=99_3.0.3_multiple_variable_Cross_site_scripting?=
|
################################################
CubeCart™ 3.0.3 multiple variable Cross site scripting
Vendor url: www.cubecart.com
bug report:http://bugs.cubecart.com/?do=details&id=363
Advisore:http://lostmon.blogspot.com/2005/09/
cubecart-303-multiple-variable-cross.html
vendor confirmed: yes exploit avalable: yes
Fix available: yes
################################################
CubeCart contains a flaw that allows a remote cross site scripting
attack.This flaw exists because the application does not validate some
variables upon submission to cart.php and index.php script
scripts.This could allow a user to create a specially crafted URL that
would execute arbitrary code in a user's browser within the trust
relationship between the browser and the server,leading to a loss of
integrity.
###############
VERSIONS
###############
CubeCart™ 3.0.3 vulnerable
CubeCart™ 3.0.4 not vulnerable
#################
Timeline
#################
Discovered: 24 sep 2005
vendor notify: 24 sep 2005
Vendor response:26 sep 2005
Solution: 28 sep 2005
###############
Examples:
###############
http://victim]/cc3/cart.php?act=reg&redir=L3NpdGUvZGVtby9jYzMvaW5kZXgucGhwP3NlYXJjaFN0cj0lMjIlM0UlM0NzY3JpcHQlM0VhbGVydCUyOCUyOSUzQyUyRnNjcmlwdCUzRSZhbXA7YWN0PXZpZXdDYXQmYW1wO1N1Ym1pdD1Hbw==[XSS-CODE]
http://[victim]/cc3/cart.php?act=reg&redir=[XSS-CODE]
http://[victim]cc3/index.php?searchStr=%3D%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&act=viewCat&Submit=Go
http://[victim]cc3/index.php?act=login&redir=L3NpdGUvZGVtby9jYzMvaW5kZXgucGhwP2FjdD12aWV3RG9jJmFtcDtkb2NJZD0x[XSS-CODE]
#############
SOLUTION
#############
################################################
MANUAL FIX
################################################
///////////////////////////////////////
// 1. Open: /includes/content/reg.inc.php
////////
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Find at around line 123:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$redir = base64_decode($_GET['redir']);
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Replace with:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$redir = base64_decode(treatGet($_GET['redir']));
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Find at around line 170:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$reg->assign("VAL_ACTION","cart.php?act=reg&redir=".$_GET['redir']);
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Replace with:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$reg->assign("VAL_ACTION","cart.php?act=reg&redir=".treatGet($_GET['redir']));
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Save, close and upload this file.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
///////////////////////////////////////
// 2. Open: /includes/content/login.inc.php
////////
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Find at around line 55:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
header("Location: ".str_replace("&","&",base64_decode($_GET['redir'])));
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Replace with:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
header("Location:
".str_replace("&","&",base64_decode(treatGet($_GET['redir']))));
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Find at around line 74:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$login->assign("VAL_SELF",$_GET['redir']);
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Replace with:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$login->assign("VAL_SELF",treatGet($_GET['redir']));
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Save, close and upload this file.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
///////////////////////////////////////
// 3. Open: /includes/boxes/searchForm.inc.php
////////
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Find at around line 40:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$box_content->assign("SEARCHSTR",$_GET['searchStr']);
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Replace with:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$box_content->assign("SEARCHSTR",treatGet($_GET['searchStr']));
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Save, close and upload this file.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
///////////////////////////////////////
// 4. Open: /includes/content/viewCat.inc.php
////////
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Find at around line 108:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$searchwords = split ( "[ ,]", $_GET['searchStr']);
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Replace with:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$searchwords = split ( "[ ,]", treatGet($_GET['searchStr']));
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Find at around line 308:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$view_cat->assign("TXT_NO_PRODUCTS",$lang['front']['viewCat']['no_products_match']."
".$_GET['searchStr']);
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Replace with:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$view_cat->assign("TXT_NO_PRODUCTS",$lang['front']['viewCat']['no_products_match']."
".treatGet($_GET['searchStr']));
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Save, close and upload this file.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
///////////////////////////////////////
// 5. Open: /includes/functions.inc.php
////////
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
At around line 25 find:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| functions.inc.php
| ========================================
| Core Frontend Functions
+--------------------------------------------------------------------------
*/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Directly under this add:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
//////////////////////////////////
// treat GET vars stop XSS
////////
function treatGet($text){
$text = preg_replace("/(\<script)(.*?)(script>)/si", "", "$text");
$text = strip_tags($text);
$text = str_replace(array("'","\"",">","<","\\"), "", $text);
return $text;
}
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
At around line 384 find:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
function currentPage(){
$currentPage = $_SERVER['PHP_SELF'];
if (isset($_SERVER['QUERY_STRING'])) {
$currentPage .= "?" . htmlentities($_SERVER['QUERY_STRING']);
}
return $currentPage;
}
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Replace this with:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
function currentPage(){
$currentPage = $_SERVER['PHP_SELF'];
if (isset($_SERVER['QUERY_STRING'])) {
$currentPage .= "?" . htmlentities(treatGet($_SERVER['QUERY_STRING']));
}
return $currentPage;
}
///////////////////////////////////////
// 6. Open: /includes/ini.inc.php
////////
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Find at around line 108:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$ini['ver'] = '3.0.3';
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Replace with:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$ini['ver'] = '3.0.4';
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Save, close and upload this file.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
// end of manual fix :O)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
##################### €nd ########################
Thnx to estrella to be my ligth
Thnx to all manglers of http://www.osvdb.org
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
|
|
Go to the Top of This SecurityTracker Archive Page
|
