MANUAL FIX FOR CROSS _SITE SCRIPTING Cubecart 3.0.7 pl1

Monday, January 23, 2006
########################################################
MANUAL FIX FOR CROSS _SITE SCRIPTING Cubecart 3.0.7 pl1
vendor entry: http://bugs.cubecart.com/?do=details&id=459
advisore:http://lostmon.blogspot.com/2006/01/
cubecart-307-pl1-indexphp-multiple.html
references:
OSVDB ID:22471
Secunia:SA18519
BID:16259
##########################################################

1- includes/funcions.inc.php
2- index.php fix params 'act' and 'searchStr'
3- fix 'catId' param includes/content/viewCat.inc.php
4- fix 'productId' param open includes/content/viewProd.inc.php
5- cart.php fix params 'act' and 'searchStr'
6- fix param 'docId' includes/content/viewDoc.inc.php
7- 7- fix 'act' , 'username' ,'password','remember' and 'redir' params in includes/content/login.inc.php
8- fix 'productId' and $_POST includes/content/tellafriend.inc.php
9- Thanks
#############################
1 includes/functions.inc.php
#############################

open includes/functions.inc.php look this code :

arround line 82 ...
-------------------------------------------------------
//////////////////////////////////
// treat GET vars stop XSS
////////
function treatGet($text){

$text = preg_replace("/(\)/si", "", "$text");
$text = strip_tags($text);
$text = str_replace(array("'","\"",">","<","\\"), "", $text);
return $text;

}
---------------------------------------------------------

if you have a diferen code like this , replace for this...

#########################################
2- index.php param 'act' and 'searchStr'
#########################################

open index.php at line 90 you have this for 'act' param:

------------------------------
if(isset($_GET['act'])){
switch ($_GET['act']) {

-----------------------------------------

you can change for this:

-------------------------------------------

$_GET['act'] = treatGet($_GET['act']);
if(isset($_GET['act'])){
switch ($_GET['act']) {
---------------------------------------------------

open index.php at line 80 you have this for 'searchStr' param

-----------------------------------------------------

if(isset($_GET['searchStr'])){
$body->assign("SEARCHSTR",treatGet($_GET['searchStr']));
-------------------------------------------------------

you can change for this other:

--------------------------------------------

$_GET['searchStr'] = treatGet($_GET['searchStr']);
if(isset($_GET['searchStr'])){
$body->assign("SEARCHSTR",treatGet($_GET['searchStr']));
--------------------------------------------------

#######################################################
3- fix 'catId' param includes/content/viewCat.inc.php
#######################################################

for fix 'catId' param open includes/content/viewCat.inc.php

found this code at line 50:

--------------------------------------------------
if(isset($_GET['catId'])) {

----------------------------------------

change for this other:
-----------------------------------------

$_GET['catId'] = treatGet($_GET['catId']);
if(isset($_GET['catId'])) {

-----------------------------------------

###################################################
4 fix 'productId' param includes/content/viewProd.inc.php
####################################################

at line 38 you have :

--------------------------------------------------

// query database
$query = "SELECT productId, productCode, quantity, name, description, image,

-----------------------------------------------------------------

you can change forr this other

------------------------------------------------------
// query database
$_GET['productId'] = treatGet($_GET['productId']);
$query = "SELECT productId, productCode, quantity, name, description, image,

---------------------------------------------------------------------

##############################################
5- cart.php fix params 'act' and 'searchStr'
##############################################

open cart.php for fix 'act' param look at line you have this code:

-------------------------------------------
// START MAIN CONTENT
switch ($_GET['act']) {
--------------------------------------------

replace for this other:

---------------------------------------------

// START MAIN CONTENT
$_GET['act'] = treatGet($_GET['act']);
switch ($_GET['act']) {
----------------------------------------------

arround line 69 you have :
--------------------------------
if(isset($_GET['searchStr'])){
$body->assign("SEARCHSTR",$_GET['searchStr']);

------------------------------------------

you can change for:

------------------------------------------

$_GET['searchStr'] = treatGet($_GET['searchStr']);
if(isset($_GET['searchStr'])){
$body->assign("SEARCHSTR",treatGet($_GET['searchStr']));
---------------------------------------------

#######################################################
6- fix param 'docId' includes/content/viewDoc.inc.php
#######################################################

insert this line at line 36:
--------------------------------------
$_GET['docId'] = treatGet($_GET['docId']);
------------------------------------------

#######################################################
7- fix 'act' , 'username' ,'password','remember' and
'redir' params in includes/content/login.inc.php
#######################################################

inser this line at line 35:
---------------------------------------------------------

$_GET['act'] = treatGet($_GET['act']); $_POST['username'] = treatGet($_POST['username']);
$_POST['password'] = treatGet($_POST['password']);
-----------------------------------------------------------

for fix 'redir' param look and insert this line after line 52:

---------------------------------------------
//"login","reg","unsubscribe","forgotPass"
$_GET['redir'] = treatGet($_GET['redir']);
-------------------------------------------------------------

for fix 'remember' param inser this code at line 52:

---------------------------------------------

$_POST['remember'] = treatGet($_POST['remember']);

-------------------------------------------------


######################################
8-fix 'productId' and $_POST
includes/content/tellafriend.inc.php
######################################

open includes/content/tellafriend.inc.php

add this line after line 35 for fix 'productId' param :

------------------------------

// query database
$_GET['productId'] = treatGet($_GET['productId']) ;

-------------------------------------------------------

fix XSS in all boxes wen post,
arround line 58 you have this:

$text = sprintf($lang['front']['tellafriend']['email_body'],$_POST['recipName'],stripslashes($_POST['message']),$GLOBALS['storeURL'],$_GET['productId'],$GLOBALS['storeURL'],$_SERVER['REMOTE_ADDR']);



you can change for this other:
----------------------------------------------------

$text = sprintf($lang['front']['tellafriend']['email_body'],treatGet($_POST['recipName']),stripslashes(treatGet($_POST['message'])),$GLOBALS['storeURL'],treatGet($_GET['productId']),$GLOBALS['storeURL'],$_SERVER['REMOTE_ADDR']);

------------------------------------------------------

##########################
9- THANKS
##########################

I want to thank to all those that belive in my.
To OSVDB (http://www.osvdb.org) by its exelente work.
To All Manglers and Moderators of osvdb they belive in this project and they work for it :)))
To Secunia (http://www.secunia.com) by his verificacion and publication and pursuit of my work ,to Securityfocus (http://www.securityfocus.com)
like a all those that you preocupate of which my work is distributed by different means.
thanks to all those that stays there and all those that no longer stays.

Latest OSVDB Vulnerabilities

 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...