SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Commerce)  >   CaupoShop Vendors:   Caupo.Net
CaupoShop Input Filtering Hole Lets Remote Users Conduct Cross-Site Scripting Attacks to Steal Customer Data (Including Credit Cards) and Manipulate the Items for Sale in the Store
SecurityTracker Alert ID:  1003791
SecurityTracker URL:  http://securitytracker.com/id/1003791
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 12 2002
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.30a and prior
Description:   A vulnerability was reported in the CaupoShop commerce software. A remote user can obtain information about customer orders (including credit card details) and can change items in the store, such as prices.

A remote user can reportedly obtain shipping information pertaining to other users and user orders (which can reportedly include credit card details). A remote user can also apparently add/change/delete items in the store.

When a remote user registers as a new customer, the software fails to filter user-supplied input to block malicious code. A remote user can insert javascript which will then be executed whenever a site administrator views the customer listing in the administration section. If the remote user has supplied malicious code such as some document.location.href statements, the malicious code can redirect the administrator and perform any actions as an authenticated administrator.

Some demonstration proof-of-concept steps are described in the Source Message.

Impact:   A remote user can retrieve information about customers and customer orders. A remote user can change attributes of items for sale in the store.
Solution:   The vendor has released a fixed version (1.30 rc4, 2002-03-09), available at:

http://www.caupo.com/

Vendor URL:  www.caupo.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)
Underlying OS Comments:  PHP and MySQL-based

Message History:   None.


 Source Message Contents

Subject:  CaupoShop: cross-site-scripting bug


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ppp-design found the following cross-site-scripting bug in CaupoShop
(and probably in CaupoShopPro):


Details
- -------
Product: CaupoShop (and probably CaupoShopPro)
Version: 1.30a (CaupoShop) and maybe all versions before
OS affected: all OS with php and mysql
Vendor-URL: www.caupo.com, www.caupo.de, www.caupo.ch, www.kirgis.net
Vendor-Status: informed
Security-Risk: high - very high
Remote-Exploit: Yes


Introduction
- ------------
CaupoShop is a php/mysql based shopping system for the web. CaupoShopPro
is the same shop with some enhanced features. Allthough the software is
really widespreaded, it suffers from a cross-site-scripting bug, which
leads to disclosure of shipping information of other users (which can
include creditcard details). It is also possible to add/change/delete
articles in the shop (eg. changing prices).


More details
- ------------
When registering as a new customer, none of the inputs is checked for
malicious code. So a possible blackhat is able to insert some javascript
stuff here, which is executed everytime the admin takes a look at the
customer listing in the admin area, which is protected by http
authentication. Together with some document.location.href stuff the
blackhat is now able to redirect the admin to any page in the admin
area. Because the admin is allready authenticated, the blackhat does not
need to have the admin's password. The redirection makes it possible to
do everything the admin can do, eg. changing user passwords or articles.


Proof-of-concept
- ----------------
We will give two proof-of-concepts here:
The first will change an existing user record to a new emailaddress
(which is used as the login name) and a new password, so it is possible
for the blackhat to log in as this user and see the shipping details the
user has entered before, which can include valid creditcard numbers.

When registering as a new user, enter the following in the message
field, wich is the largest field (indeed you can use any of the fields)
(one line):

<script>document.location.href="http://example.com/caupo/admin/
admin_workspace.php?id=X&svTable=csc_customer&bEdit=1&bNew=1
&saField[password]=newpass&saField[email]=blackhat@example.com&
btnEdit=1"</script>

You have to substitute the X with a valid id of an user. This is really
easy to guess, because this id is a normal integer counting up from 1,
so you can just choose any number between 1 and the number of guessed
customers the shop has.


The second proof of concept is deleting an existing article and works
really the same way. You can easy get the article id out of the shop's
html code, in this example we will use the article id 1.

Again registering a new user and this times using the follwing in the
message field (one line):

<script>document.location.href="http://example.com/caupo/admin/
admin_workspace.php?id=1&svTable=csc_article&svDel=YES&btnEdit=1</script>

This will delete the article with id 1 next time the admin takes a look
at his customer listing.


Of course these two examples are easy to get aware of by an admin,
because when taking a look at his customer listing, he ends up in an
infinite loop (proof-of-concept 1), or he gets a listing of his articles
instead of his customers. So he will realize really fast something
strange is happening. But together with some more scripting, you can
hide from his eyes for a longer time.


Temporary-fix
- -------------
Admins could disable Javascript but because there are still other
possiblilities to enter malicious code, this will only stop these
proof-of-concepts from working.


Fix
- ---
Use at least CaupoShop v1.30 rc4 (2002-03-09).


Security-Risk
- -------------
Because a possible blackhat could nearly control the whole shop and
because of the disclosure of creditcard numbers and addresses of shop
users we rate the security risk high - very high.


Vendor status
- -------------
Vendor has released a new version, which filters htmltags using
strip_tags().


Disclaimer
- ----------
All information that can be found in this advisory is believed to be
true, but maybe it isn't. ppp-design can not be held responsible for the
use or missuse of this information. Redistribution of this text is only
permitted if the text has not been altered and the original author
ppp-design (http://www.ppp-design.de) ist mentioned.

This advisory can be found online at:
http://www.ppp-design.de/advisories_show.php?
adv=cauposhop__cross-site-scripting_bug.txt


- --
ppp-design
http://www.ppp-design.de
Public-Key: http://www.ppp-design.de/pgp/ppp-design.asc
Fingerprint: 5B02 0AD7 A176 3A4F CE22  745D 0D78 7B60 B3B5 451A
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Weitere Infos: siehe http://www.gnupg.org

iD8DBQE8jJYQDXh7YLO1RRoRAok/AKDXFoa8qWSfVZSbiVQgDUpDjCCnsQCeITuB
W/AZqmSxRBx2qZmrw+LqJyQ=
=5lp8
-----END PGP SIGNATURE-----


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC