cubecart-3.0.3.txt

`################################################  
CubeCart™ 3.0.3 multiple variable Cross site scripting  
Vendor url: www.cubecart.com  
bug report:http://bugs.cubecart.com/?do=details&id=363  
Advisore:http://lostmon.blogspot.com/2005/09/  
cubecart-303-multiple-variable-cross.html  
vendor confirmed: yes exploit avalable: yes  
Fix available: yes  
################################################  
  
CubeCart contains a flaw that allows a remote cross site scripting  
attack.This flaw exists because the application does not validate some  
variables upon submission to cart.php and index.php script  
scripts.This could allow a user to create a specially crafted URL that  
would execute arbitrary code in a user's browser within the trust  
relationship between the browser and the server,leading to a loss of  
integrity.  
  
###############  
VERSIONS  
###############  
CubeCart™ 3.0.3 vulnerable  
CubeCart™ 3.0.4 not vulnerable  
  
  
#################  
Timeline  
#################  
  
Discovered: 24 sep 2005  
vendor notify: 24 sep 2005  
Vendor response:26 sep 2005  
Solution: 28 sep 2005  
  
###############  
Examples:  
###############  
  
http://victim]/cc3/cart.php?act=reg&redir=L3NpdGUvZGVtby9jYzMvaW5kZXgucGhwP3NlYXJjaFN0cj0lMjIlM0UlM0NzY3JpcHQlM0VhbGVydCUyOCUyOSUzQyUyRnNjcmlwdCUzRSZhbXA7YWN0PXZpZXdDYXQmYW1wO1N1Ym1pdD1Hbw==[XSS-CODE]  
  
http://[victim]/cc3/cart.php?act=reg&redir=[XSS-CODE]  
  
  
http://[victim]cc3/index.php?searchStr=%3D%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&act=viewCat&Submit=Go  
  
http://[victim]cc3/index.php?act=login&redir=L3NpdGUvZGVtby9jYzMvaW5kZXgucGhwP2FjdD12aWV3RG9jJmFtcDtkb2NJZD0x[XSS-CODE]  
  
#############  
SOLUTION  
#############  
  
################################################  
MANUAL FIX  
################################################  
///////////////////////////////////////  
// 1. Open: /includes/content/reg.inc.php  
////////  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Find at around line 123:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
$redir = base64_decode($_GET['redir']);  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Replace with:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
$redir = base64_decode(treatGet($_GET['redir']));  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Find at around line 170:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
$reg->assign("VAL_ACTION","cart.php?act=reg&redir=".$_GET['redir']);  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Replace with:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
$reg->assign("VAL_ACTION","cart.php?act=reg&redir=".treatGet($_GET['redir']));  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Save, close and upload this file.  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
  
///////////////////////////////////////  
// 2. Open: /includes/content/login.inc.php  
////////  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Find at around line 55:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
header("Location: ".str_replace("&","&",base64_decode($_GET['redir'])));  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Replace with:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
header("Location:  
".str_replace("&","&",base64_decode(treatGet($_GET['redir']))));  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Find at around line 74:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
$login->assign("VAL_SELF",$_GET['redir']);  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Replace with:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
$login->assign("VAL_SELF",treatGet($_GET['redir']));  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Save, close and upload this file.  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
  
///////////////////////////////////////  
// 3. Open: /includes/boxes/searchForm.inc.php  
////////  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Find at around line 40:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
$box_content->assign("SEARCHSTR",$_GET['searchStr']);  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Replace with:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
$box_content->assign("SEARCHSTR",treatGet($_GET['searchStr']));  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Save, close and upload this file.  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
  
///////////////////////////////////////  
// 4. Open: /includes/content/viewCat.inc.php  
////////  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Find at around line 108:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
$searchwords = split ( "[ ,]", $_GET['searchStr']);  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Replace with:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
$searchwords = split ( "[ ,]", treatGet($_GET['searchStr']));  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Find at around line 308:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
$view_cat->assign("TXT_NO_PRODUCTS",$lang['front']['viewCat']['no_products_match']."  
".$_GET['searchStr']);  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Replace with:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
$view_cat->assign("TXT_NO_PRODUCTS",$lang['front']['viewCat']['no_products_match']."  
".treatGet($_GET['searchStr']));  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Save, close and upload this file.  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
  
///////////////////////////////////////  
// 5. Open: /includes/functions.inc.php  
////////  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
At around line 25 find:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
| functions.inc.php  
| ========================================  
| Core Frontend Functions   
+--------------------------------------------------------------------------  
*/  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Directly under this add:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
//////////////////////////////////  
// treat GET vars stop XSS  
////////  
function treatGet($text){  
  
$text = preg_replace("/(\<script)(.*?)(script>)/si", "", "$text");  
$text = strip_tags($text);  
$text = str_replace(array("'","\"",">","<","\\"), "", $text);  
return $text;  
  
}  
  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
At around line 384 find:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
function currentPage(){  
  
$currentPage = $_SERVER['PHP_SELF'];  
  
if (isset($_SERVER['QUERY_STRING'])) {  
  
$currentPage .= "?" . htmlentities($_SERVER['QUERY_STRING']);  
  
}  
  
return $currentPage;  
  
}  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Replace this with:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
function currentPage(){  
  
$currentPage = $_SERVER['PHP_SELF'];  
  
if (isset($_SERVER['QUERY_STRING'])) {  
  
$currentPage .= "?" . htmlentities(treatGet($_SERVER['QUERY_STRING']));  
  
}  
  
return $currentPage;  
  
}  
  
///////////////////////////////////////  
// 6. Open: /includes/ini.inc.php  
////////  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Find at around line 108:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
$ini['ver'] = '3.0.3';  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Replace with:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
$ini['ver'] = '3.0.4';  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Save, close and upload this file.  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
// end of manual fix :O)  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
##################### €nd ########################  
  
Thnx to estrella to be my ligth  
Thnx to all manglers of http://www.osvdb.org  
  
--  
atentamente:  
Lostmon ([email protected])  
Web-Blog: http://lostmon.blogspot.com/  
--  
La curiosidad es lo que hace mover la mente....  
`