DHCart Multiple variable XSS and stored XSS

Tuesday, November 04, 2008
###########################################
DHCart Multiple variable XSS and stored XSS
Vendor URL:http://www.dhcart.com/
Advisore:http://lostmon.blogspot.com/
2008/11/dhcart-multiple-variable-xss-and-stored.html
vendor notify:YES Exploit:YES Patch:YES
###########################################

DHCart is a PHP based application that provides a simple
to use shopping cart for users purchasing domain names
and hosting services.

DHCart is prove vulnerable to Cross site scripting and
stored cross-site scripting.

################
Solution
###############

The vendor has reported that latest version of
DHCart is 3.86 and there is no any security bug
after v3.85.

#############
see this PoC

http://Victim/order.php?dhaction=check&submit_domain=
Register&domain=%22%3E%3Cscript%3Ealert%28%29%3C%2F
script%3E&ext1=on

or

http://Victim/order.php?dhaction=add&d1=lalalalasss
%22%3E%3Cscript%3Ealert(1)%3C/script%3E&x1=.com&r1=
0&h1=1&addtocart1=on&n=3

in this case the xss is exploitable via url , and it's stored
in the cart, wen the users goes to look his cart the xss
is executed again (stored XSS)

Vulnerable code:

arround line 93 in config.php file we found:

if (!empty($HTTP_GET_VARS)) while(list($name, $value) = each($HTTP_GET_VARS)) $$name = $value;

this is vulnerable because $value is returned to the users without sanitize.

i have fully pached ... add a function to filter variables and apply this filter to $value variable.


///////////////////////////////////////////////////////////////////////////
// Code below this point should not need modifying. Do so at your own risk!
///////////////////////////////////////////////////////////////////////////
function StopXSS($text)
{
if(!is_array($text))
{
$text = preg_replace("/\(\)/si", "", $text);
$text = strip_tags($text);
$text = str_replace(array("'","\"",">","<","\\"), "", $text);
}
else
{
foreach($text as $k=>$t)
{
$t = preg_replace("/\(\)/si", "", $t);
$t = strip_tags($t);
$t = str_replace(array("'","\"",">","<","\\"), "", $t);
$text[$k] = $t;
}
}
return $text;
}

if (!empty($HTTP_GET_VARS)) while(list($name, $value) = each($HTTP_GET_VARS)) $$name = StopXSS($value);

######################€nd##################
--
Thnx to estrella to be my ligth
Thnx To FalconDeOro for his support
Thnx To Imydes From http://www.imydes.com
Thnx To Climbo


--
atentamente:
Lostmon (lostmon@gmail.com)

Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...