SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Commerce)  >   Agora.cgi Vendors:   [Multiple Authors/Vendors]
(Vendor Issues Patch) Re: Agora.cgi Commerce Package Input Filtering Flaw Allows Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1003388
SecurityTracker URL:  http://securitytracker.com/id/1003388
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 29 2002
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): v3.3e; possibly other versions
Description:   A cross-site scripting vulnerability was reported in the Agori.cgi commerce system.

A remote user can write a web page or HTML-based e-mail message containing a link to a vulnerable site running Agora.cgi. If the link contains embedded javascript and is accessed by the target user (i.e., the victim), the javascript will execute in the security domain of the Agora.cgi site and may be able to access the target user's cookies associated with that site. The code could also take actions involving the web site on behalf of the target user.

The following type of URLs can reportedly be used to demonstrate the flaw:

http://[targethost]/store/agora.cgi?cart_id=<IMG%20height=47%20src="http://www.securityoffice.net/images/title.gif"%20width=406%20border=0>&xm=on&product=HTML

http://[targethost]/store/agora.cgi?cart_id=<script>alert(document.cookie)</script>&xm=on&product=HTML

Impact:   A remote user can conduct cross-site scripting attacks using a site running Agora.cgi. A remote user can create javascript that, when executed on another user's browser, may be able to access that user's cookies and other information associated with the site running Agora.cgi.
Solution:   The vendor has released a special security add-on library for agora versions 3.2b to 4.0d, available at:

http://www.agoracgi.com/agora/security_01242002.pl

Vendor URL:  www.agoracgi.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Dec 18 2001 Agora.cgi Commerce Package Input Filtering Flaw Allows Cross-Site Scripting Attacks



 Source Message Contents

Subject:  Re: Agoracgi v3.3e Cross Site Scripting Vulnerability



In-Reply-To: <068b01c1874a$7b1296b0$cb9c2bd5@ts>

Sites desiring to eliminate the issue in diagnostic mode as well as remove all < and > 
characters from all user input can install the library below.  

Steve...
--

# Special Security add-on library for agora versions 3.2b to 4.0d
#
# Puts the store in 'paranoia' mode, all < and > chars are converted
# to # chars if they are found in the input stream.
#
# May fix unknown and undiscovered problems, eliminates problems in
# diagnostic mode in 4.0x.
#
# Install in store/custom directory, set permissions to 555
#
# Not required if running ashim40update.pl version 1/24/02 or later
#
# SPK Jan 24, 2002
$versions{'security_01242002'} = '01242002';
&add_codehook("alias_and_override_top","special_security_f1_01242002");
sub special_security_f1_01242002 {
 $form_data{'cart_id'} =~ s/</&lt;/g;
 $form_data{'cart_id'} =~ s/>/&gt;/g;
 for $inx (keys %form_data) { 
   $form_data{$inx} =~ s/</#/g;
   $form_data{$inx} =~ s/>/#/g;
  }
 }
&add_codehook("alias_and_override_end","special_security_f2_01242002");
sub special_security_f2_01242002 {
  if (!($form_data{'cart_id'} =~ /^([\w\-\=\+\/]+)\.(\w+)/)) {
    $form_data{'cart_id'} = ''; 
   }
 }
#
1; # Library

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC