nopCommerce 3.70 Cross Site Scripting

2016-08-15T00:00:00
ID PACKETSTORM:138340
Type packetstorm
Reporter Tal Argoni
Modified 2016-08-15T00:00:00

Description

                                        
                                            `Security Advisory  
CVE-ID: N/A  
Topic: Reflected Cross Site Scripting (XSS) Vulnerability in  
"successful registration" page  
Class: Input Validation  
Severity: Medium  
Discovery: 2016-04-28  
Vendor Notification: 2016-04-28  
Vendor response: 2016-05-30  
Vendor Patch: 2016-05-31  
Public Announced: 2016-08-15  
Credits: Tal Argoni, CEH from Triad Security [http://www.triadsec.com/]  
Affects: nopCommerce, open-source & free e-commerce solution 3.70  
Resolved: Version 3.8  
  
I. Background  
nopCommerce is open-source e-commerce shopping cart web application  
written in MVC.NET. After  
anonymous user successfully registered the application, the  
application return the user a successful  
registration page with "continue to the shop" button. The  
redirection's parameter (returnurl) value is  
supplied by the user and echo without output validation to the browser.  
  
II. Problem Description  
Reflected cross-site scripting vulnerabilities arise when data is  
copied from a request and echoed into  
the application's immediate response in an unsafe way. The injected  
code is not stored within the  
application itself; it is only impacts users who open a maliciously  
crafted link or third-party web page.  
The attack string is included as part of the crafted URI or HTTP  
parameters, improperly processed by the  
application, and returned to the victim.  
Exploit code/POC:  
http://VulnopCommerce/registerresult/1?returnurl=%2fcustomer%2finfo'%3balert("hacked+by+triad+s  
ecurity")%3b%2f%2f  
  
III. Impact  
The attacker-supplied code can perform a wide variety of actions, such  
as stealing the victim's session  
token or login credentials, performing arbitrary actions on the  
victim's behalf, and logging their  
keystrokes.  
IV. Workaround  
You can work around this problem by doing the following:  
1. It is recommended to use HTML-encoded at any point where it is  
copied into application  
responses.  
  
V. Solution  
Download vendor patch from http://www.nopcommerce.com .  
Update to version 3.8  
  
VI. References  
http://www.triadsec.com/  
https://www.linkedin.com/in/talargoni  
https://github.com/nopSolutions/nopCommerce/commit/364091c16bae533a6c00c0f3bd920ed15da25f  
77  
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)  
`