SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Commerce)  >   ViArt Shop Vendors:   codetosell.com
ViArt Shop Input Validation Hole Permits Cross-Site Scripting and Information Disclosure Attacks
SecurityTracker Alert ID:  1021497
SecurityTracker URL:  http://securitytracker.com/id/1021497
CVE Reference:   CVE-2008-6757, CVE-2008-6758, CVE-2008-6759, CVE-2008-6760, CVE-2008-6765, CVE-2008-6766   (Links to External Site)
Updated:  Apr 30 2009
Original Entry Date:  Dec 29 2008
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): 3.5; possibly other versions
Description:   Several vulnerabilities were reported in ViArt Shop. A remote user can conduct cross-site scripting attacks. A remote user can determine the installation path. A remote user can determine SQL table names.

The 'cart_save.php' script does not properly filter HTML code from user-supplied input before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the ViArt Shop software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Some demonstration exploit URLs are provided:

http://[target]/cart_save.php?operation=save&rnd=&rp=products.php&cart_name=<html><a href="http://www.google.com">Google</a></html>

http://[target]/cart_save.php?operation=save&rnd=&rp=products.php&cart_name=<html><script>alert("VULN");</script></html>

http://[target]/cart_save.php?operation=save&rnd=&rp=products.php&cart_name=<html><script>window.location="http://[attacker]";</script></html>

The code will be executed when the target user loads 'user_carts.php'.

The 'manual_search' parameter of 'manuals_search.php' is also affected.

A remote user can request the following type of URL to determine the installation path:

http://[target]/manuals_search.php?POST_DATA=http://[site-that-does-not-exist]

A remote user can supply a specially crafted 'user_id' parameter to cause the system to display the SQL table names as part of an error message.

A remote user can supply a specially crafted cart-id value to access a target user's shopping cart.

Xia Shing Zee reported these vulnerabilities.
Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the ViArt Shop software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can determine the installation path.

A remote user can determine SQL table names.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.viart.com/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:   Windows (Any)

Message History:   None.

 Source Message Contents
Date:  29 Dec 2008 05:58:07 -0000
Subject:  ViArt Shopping Cart v3.5 Multiple Remote Vulnerabilities

===============================================================
!vuln
ViArt Shopping Cart v3.5 is prone to multiple remote 
vulnerabilities. Earlier versions may also be affected.
===============================================================

===============================================================
!dork
Dork: intext:"Free Ecommerce Shopping Cart Software by ViArt" +"Your shopping cart is empty!" + "Products  Search" +"Advanced Search"
 + "All Categories"
===============================================================

===============================================================
!risk 1 - Full Path Disclosure
Low
Attackers can use this vulnerability to leverage another attack
after the full path has been disclosed.
===============================================================

===============================================================
!discussion 1 - Full Path Disclosure
The server will give an error when any URL real/imaginary is 
passed to the POST_DATA parameter:
http://www.victim.com/manuals_search.php?POST_DATA=http://site-that-does-not-exist.com

A remote user is able to identify the full path of the document
root folder.
===============================================================

===============================================================
!risk 2 - Information Disclosure
Medium
The table names can be further leveraged for a SQL injection if
one exists.
===============================================================

===============================================================
!discussion 2 - Information Disclosure
When a user is not signed in, the tables are shown to the 
attacker via an error, because the PHP form fails to properly
sanitize user_id since the user is not logged in.

The attacker must first try to add a product to the cart and 
then save the shopping cart for the tables to be revealed by 
browsing to: http://www.victim.com/cart_save.php
===============================================================

===============================================================
!risk 3 - Arbitrary Code Injection
High
Attackers can use this vulnerability to execute arbitrary code
on a legitimate user.
===============================================================

===============================================================
!discussion 3 - Arbitrary Code Injection
The attacker is able to create shopping carts with 
HTML/Javascript injected code such as:
http://www.victim.com/cart_save.php?operation=save&rnd=&rp=products.php&cart_name=<html><a href="http://www.google.com">Google</a></html>
http://www.victim.com/cart_save.php?operation=save&rnd=&rp=products.php&cart_name=<html><script>alert("VULN");</script></html>
http://www.victim.com/cart_save.php?operation=save&rnd=&rp=products.php&cart_name=<html><script>window.location="http://malicious-site.com";</script></html>

Then when the user visits "My Saved Carts" at 
http://victim.com/user_carts.php the code is executed:
Example 1 would give a link to the Google search engine.
Example 2 would give a javascript alert popup displaying "VULN".
Example 3 would send the user to a malicious site.

Note: manuals_search.php is also vulnerable to the same 
HTML/Javascript vulnerability that allows for arbitrary code to
be executed:
http://www.victim.com/manuals_search.php?manuals_search=<html><script>window.location="http://malicious-site.com";</script></html>

A remote user is able to identify the full path of the document
root folder.
===============================================================

===============================================================
!extras
The Cart name is all that needs to be guessed/brute-forced for 
an attacker to gain entry to the shopping cart. As the cart-id 
increments from 1 upwards. This does not require any user-login
from the attacker.

An attacker could also overload the server with a ton of 
shopping carts by constantly refreshing cart_save.php to create
multiple shopping cart ID's.
===============================================================

===============================================================
!solution
ViArt Shopping Cart can still be used, but be wary of the full 
path disclosure and make sure no SQL injections can take place
once an attacker knows the table names. Alert users that they 
should be wary of which links they click on as an attacker 
could redirect them to a malicious site. The overloading of 
cart_save.php can be solved by placing IP-bans on attackers.
There is no solution to the brute-force guessing of cart names.
The vendor has not yet been notified.
===============================================================

===============================================================
!greetz
Greetz go out to the people who know me.
===============================================================

===============================================================
!author
Xia Shing Zee
===============================================================


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC