MANUAL FIX FOR CROSS _SITE SCRIPTING Cubecart 3.0.7 pl1

Monday, January 23, 2006
########################################################
MANUAL FIX FOR CROSS _SITE SCRIPTING Cubecart 3.0.7 pl1
vendor entry: http://bugs.cubecart.com/?do=details&id=459
advisore:http://lostmon.blogspot.com/2006/01/
cubecart-307-pl1-indexphp-multiple.html
references:
OSVDB ID:22471
Secunia:SA18519
BID:16259
##########################################################

1- includes/funcions.inc.php
2- index.php fix params 'act' and 'searchStr'
3- fix 'catId' param includes/content/viewCat.inc.php
4- fix 'productId' param open includes/content/viewProd.inc.php
5- cart.php fix params 'act' and 'searchStr'
6- fix param 'docId' includes/content/viewDoc.inc.php
7- 7- fix 'act' , 'username' ,'password','remember' and 'redir' params in includes/content/login.inc.php
8- fix 'productId' and $_POST includes/content/tellafriend.inc.php
9- Thanks
#############################
1 includes/functions.inc.php
#############################

open includes/functions.inc.php look this code :

arround line 82 ...
-------------------------------------------------------
//////////////////////////////////
// treat GET vars stop XSS
////////
function treatGet($text){

$text = preg_replace("/(\)/si", "", "$text");
$text = strip_tags($text);
$text = str_replace(array("'","\"",">","<","\\"), "", $text);
return $text;

}
---------------------------------------------------------

if you have a diferen code like this , replace for this...

#########################################
2- index.php param 'act' and 'searchStr'
#########################################

open index.php at line 90 you have this for 'act' param:

------------------------------
if(isset($_GET['act'])){
switch ($_GET['act']) {

-----------------------------------------

you can change for this:

-------------------------------------------

$_GET['act'] = treatGet($_GET['act']);
if(isset($_GET['act'])){
switch ($_GET['act']) {
---------------------------------------------------

open index.php at line 80 you have this for 'searchStr' param

-----------------------------------------------------

if(isset($_GET['searchStr'])){
$body->assign("SEARCHSTR",treatGet($_GET['searchStr']));
-------------------------------------------------------

you can change for this other:

--------------------------------------------

$_GET['searchStr'] = treatGet($_GET['searchStr']);
if(isset($_GET['searchStr'])){
$body->assign("SEARCHSTR",treatGet($_GET['searchStr']));
--------------------------------------------------

#######################################################
3- fix 'catId' param includes/content/viewCat.inc.php
#######################################################

for fix 'catId' param open includes/content/viewCat.inc.php

found this code at line 50:

--------------------------------------------------
if(isset($_GET['catId'])) {

----------------------------------------

change for this other:
-----------------------------------------

$_GET['catId'] = treatGet($_GET['catId']);
if(isset($_GET['catId'])) {

-----------------------------------------

###################################################
4 fix 'productId' param includes/content/viewProd.inc.php
####################################################

at line 38 you have :

--------------------------------------------------

// query database
$query = "SELECT productId, productCode, quantity, name, description, image,

-----------------------------------------------------------------

you can change forr this other

------------------------------------------------------
// query database
$_GET['productId'] = treatGet($_GET['productId']);
$query = "SELECT productId, productCode, quantity, name, description, image,

---------------------------------------------------------------------

##############################################
5- cart.php fix params 'act' and 'searchStr'
##############################################

open cart.php for fix 'act' param look at line you have this code:

-------------------------------------------
// START MAIN CONTENT
switch ($_GET['act']) {
--------------------------------------------

replace for this other:

---------------------------------------------

// START MAIN CONTENT
$_GET['act'] = treatGet($_GET['act']);
switch ($_GET['act']) {
----------------------------------------------

arround line 69 you have :
--------------------------------
if(isset($_GET['searchStr'])){
$body->assign("SEARCHSTR",$_GET['searchStr']);

------------------------------------------

you can change for:

------------------------------------------

$_GET['searchStr'] = treatGet($_GET['searchStr']);
if(isset($_GET['searchStr'])){
$body->assign("SEARCHSTR",treatGet($_GET['searchStr']));
---------------------------------------------

#######################################################
6- fix param 'docId' includes/content/viewDoc.inc.php
#######################################################

insert this line at line 36:
--------------------------------------
$_GET['docId'] = treatGet($_GET['docId']);
------------------------------------------

#######################################################
7- fix 'act' , 'username' ,'password','remember' and
'redir' params in includes/content/login.inc.php
#######################################################

inser this line at line 35:
---------------------------------------------------------

$_GET['act'] = treatGet($_GET['act']); $_POST['username'] = treatGet($_POST['username']);
$_POST['password'] = treatGet($_POST['password']);
-----------------------------------------------------------

for fix 'redir' param look and insert this line after line 52:

---------------------------------------------
//"login","reg","unsubscribe","forgotPass"
$_GET['redir'] = treatGet($_GET['redir']);
-------------------------------------------------------------

for fix 'remember' param inser this code at line 52:

---------------------------------------------

$_POST['remember'] = treatGet($_POST['remember']);

-------------------------------------------------


######################################
8-fix 'productId' and $_POST
includes/content/tellafriend.inc.php
######################################

open includes/content/tellafriend.inc.php

add this line after line 35 for fix 'productId' param :

------------------------------

// query database
$_GET['productId'] = treatGet($_GET['productId']) ;

-------------------------------------------------------

fix XSS in all boxes wen post,
arround line 58 you have this:

$text = sprintf($lang['front']['tellafriend']['email_body'],$_POST['recipName'],stripslashes($_POST['message']),$GLOBALS['storeURL'],$_GET['productId'],$GLOBALS['storeURL'],$_SERVER['REMOTE_ADDR']);



you can change for this other:
----------------------------------------------------

$text = sprintf($lang['front']['tellafriend']['email_body'],treatGet($_POST['recipName']),stripslashes(treatGet($_POST['message'])),$GLOBALS['storeURL'],treatGet($_GET['productId']),$GLOBALS['storeURL'],$_SERVER['REMOTE_ADDR']);

------------------------------------------------------

##########################
9- THANKS
##########################

I want to thank to all those that belive in my.
To OSVDB (http://www.osvdb.org) by its exelente work.
To All Manglers and Moderators of osvdb they belive in this project and they work for it :)))
To Secunia (http://www.secunia.com) by his verificacion and publication and pursuit of my work ,to Securityfocus (http://www.securityfocus.com)
like a all those that you preocupate of which my work is distributed by different means.
thanks to all those that stays there and all those that no longer stays.
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...