SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Commerce)  >   SunShop Shopping Cart Vendors:   Turnkeywebtools.com
SunShop Shopping Cart Lack of Input Filtering Lets Remote Users Conduct Cross-Site Scripting Attacks Against SunShop Site Administrators
SecurityTracker Alert ID:  1004038
SecurityTracker URL:  http://securitytracker.com/id/1004038
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 15 2002
Impact:   Disclosure of authentication information, Execution of arbitrary code via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.5, possibly prior versions
Description:   A vulnerability has been reported in the SunShop Shopping Cart system. A remote user can conduct cross-site scripting attacks against SunShop administrators to remotely invoke administrative actions.

It is reported that the software does not filter user-supplied input in several instances, including when registering a new customer. A remote user could insert malicious Javascript that so that when a SunShop site administrator views the customer listing in the administration area, the administrator's web browser could be redirected to other administrator pages and take actions as the administrator. The administrative pages are protected by HTTP authentication, so the javascript can take any actions as the administrator without having to authenticate.

As a demonstration, enter the following name when registering as a new customer, then go to the administrative pages to view the customer list to cause a dialog box to pop-up:

blackhat<script>alert('ouch')</script>

Impact:   A remote user can conduct cross-site scripting attacks against SunShop administrators to invoke any action that the administrator can perform.
Solution:   The vendor has released a fixed version (2.6). For information on upgrading, contact the vendor at:

http://www.turnkeywebtools.com/index.php?location=support


Vendor URL:  www.turnkeywebtools.com/products.php?product=sunshop (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Underlying OS Comments:  PHP-based

Message History:   None.


 Source Message Contents

Subject:  SunSop: cross-site-scripting bug


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ppp-design found the following cross-site-scripting bug in SunShop
Shopping Cart:


Details
- -------
Product: SunShop Shopping Cart
Version: 2.5 and maybe all versions before
OS affected: all OS with php and mysql
Vendor-URL: http://www.turnkeywebtools.com
Vendor-Status: informed, patched
Security-Risk: high - very high
Remote-Exploit: Yes


Introduction
- ------------
SunShop is a php/mysql based shopping system. Because it is a commercial
solution ($99.99) we could not have a look into the source code. All
impacts are tested in a demo shop on their website. SunShop is suffering
a cross-site-scripting bug because none of the user inputs seems to be
checked for malicious code.


More details
- ------------
When registering as a new customer, none of the inputs is checked for
malicious code. So a possible blackhat is able to insert some javascript
stuff here, that is executed everytime the admin takes a look at the
customer listing in the admin area, which is protected by http
authentication. Together with some document.location.href stuff the
blackhat is now able to redirect the admin to any page in the admin
area. Because the admin is allready authenticated, the blackhat does not
need to have the admin's password. The redirection makes it possible to
do everything the admin can do, eg. generating new coupons.


Proof-of-concept
- ----------------
Enter the following name when registering as a new customer:

blackhat<script>alert('ouch')</script>

When the admin takes a look into his customer listing, the javascript
code gets executed. Together with some more document.location.href the
blackhat is able to do anything the admin can.


Temporary fix
- -------------
We do not have the source code, so we cannot suggest any temporary fix.


Fix
- ---
Use the latest version.


Security-Risk
- -------------
Because a possible blackhat could nearly control the whole shop we rate
the security risk high - very high.


Vendor status
- -------------
We have informed the vendor and he reacted very quickly. According to
his statement the bug is now fixed.


Disclaimer
- ----------
All information that can be found in this advisory is believed to be
true, but maybe it isn't. ppp-design can not be held responsible for the
use or missuse of this information. Redistribution of this text is only
permitted if the text has not been altered and the original author
ppp-design (http://www.ppp-design.de) is mentioned.

This advisory can be found online at:
http://www.ppp-design.de/advisories.php



- --
ppp-design
http://www.ppp-design.de
Public-Key: http://www.ppp-design.de/pgp/ppp-design.asc
Fingerprint: 5B02 0AD7 A176 3A4F CE22  745D 0D78 7B60 B3B5 451A
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Weitere Infos: siehe http://www.gnupg.org

iD8DBQE8t/gFDXh7YLO1RRoRAk/dAKDHX5fWvI3hNGy8J/1L1xYg+OsevwCfcZPo
ycgsyRswKpqPSGOreISZw1k=
=qEN8
-----END PGP SIGNATURE-----


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC