###########################################
DHCart Multiple variable XSS and stored XSS
Vendor URL:http://www.dhcart.com/
Advisore:http://lostmon.blogspot.com/
2008/11/dhcart-multiple-variable-xss-and-stored.html
vendor notify:YES Exploit:YES Patch:YES
###########################################
DHCart is a PHP based application that provides a simple
to use shopping cart for users purchasing domain names
and hosting services.
DHCart is prove vulnerable to Cross site scripting and
stored cross-site scripting.
################
Solution
###############
The vendor has reported that latest version of
DHCart is 3.86 and there is no any security bug
after v3.85.
#############
see this PoC
http://Victim/order.php?dhaction=check&submit_domain=
Register&domain=%22%3E%3Cscript%3Ealert%28%29%3C%2F
script%3E&ext1=on
or
http://Victim/order.php?dhaction=add&d1=lalalalasss
%22%3E%3Cscript%3Ealert(1)%3C/script%3E&x1=.com&r1=
0&h1=1&addtocart1=on&n=3
in this case the xss is exploitable via url , and it's stored
in the cart, wen the users goes to look his cart the xss
is executed again (stored XSS)
Vulnerable code:
arround line 93 in config.php file we found:
if (!empty($HTTP_GET_VARS)) while(list($name, $value) = each($HTTP_GET_VARS)) $$name = $value;
this is vulnerable because $value is returned to the users without sanitize.
i have fully pached ... add a function to filter variables and apply this filter to $value variable.
///////////////////////////////////////////////////////////////////////////
// Code below this point should not need modifying. Do so at your own risk!
///////////////////////////////////////////////////////////////////////////
function StopXSS($text)
{
if(!is_array($text))
{
$text = preg_replace("/\(\)/si", "", $text);
$text = strip_tags($text);
$text = str_replace(array("'","\"",">","<","\\"), "", $text);
}
else
{
foreach($text as $k=>$t)
{
$t = preg_replace("/\(\)/si", "", $t);
$t = strip_tags($t);
$t = str_replace(array("'","\"",">","<","\\"), "", $t);
$text[$k] = $t;
}
}
return $text;
}
if (!empty($HTTP_GET_VARS)) while(list($name, $value) = each($HTTP_GET_VARS)) $$name = StopXSS($value);
######################€nd##################
--
Thnx to estrella to be my ligth
Thnx To FalconDeOro for his support
Thnx To Imydes From http://www.imydes.com
Thnx To Climbo
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Subscribe to:
Posts (Atom)