Vulners
Lucene search
cubecart-3.0.3.txt
`################################################
CubeCart 3.0.3 multiple variable Cross site scripting
Vendor url: www.cubecart.com
bug report:http://bugs.cubecart.com/?do=details&id=363
Advisore:http://lostmon.blogspot.com/2005/09/
cubecart-303-multiple-variable-cross.html
vendor confirmed: yes exploit avalable: yes
Fix available: yes
################################################
CubeCart contains a flaw that allows a remote cross site scripting
attack.This flaw exists because the application does not validate some
variables upon submission to cart.php and index.php script
scripts.This could allow a user to create a specially crafted URL that
would execute arbitrary code in a user's browser within the trust
relationship between the browser and the server,leading to a loss of
integrity.
###############
VERSIONS
###############
CubeCart 3.0.3 vulnerable
CubeCart 3.0.4 not vulnerable
#################
Timeline
#################
Discovered: 24 sep 2005
vendor notify: 24 sep 2005
Vendor response:26 sep 2005
Solution: 28 sep 2005
###############
Examples:
###############
http://victim]/cc3/cart.php?act=reg&redir=L3NpdGUvZGVtby9jYzMvaW5kZXgucGhwP3NlYXJjaFN0cj0lMjIlM0UlM0NzY3JpcHQlM0VhbGVydCUyOCUyOSUzQyUyRnNjcmlwdCUzRSZhbXA7YWN0PXZpZXdDYXQmYW1wO1N1Ym1pdD1Hbw==[XSS-CODE]
http://[victim]/cc3/cart.php?act=reg&redir=[XSS-CODE]
http://[victim]cc3/index.php?searchStr=%3D%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&act=viewCat&Submit=Go
http://[victim]cc3/index.php?act=login&redir=L3NpdGUvZGVtby9jYzMvaW5kZXgucGhwP2FjdD12aWV3RG9jJmFtcDtkb2NJZD0x[XSS-CODE]
#############
SOLUTION
#############
################################################
MANUAL FIX
################################################
///////////////////////////////////////
// 1. Open: /includes/content/reg.inc.php
////////
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Find at around line 123:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$redir = base64_decode($_GET['redir']);
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Replace with:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$redir = base64_decode(treatGet($_GET['redir']));
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Find at around line 170:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$reg->assign("VAL_ACTION","cart.php?act=reg&redir=".$_GET['redir']);
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Replace with:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$reg->assign("VAL_ACTION","cart.php?act=reg&redir=".treatGet($_GET['redir']));
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Save, close and upload this file.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
///////////////////////////////////////
// 2. Open: /includes/content/login.inc.php
////////
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Find at around line 55:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
header("Location: ".str_replace("&","&",base64_decode($_GET['redir'])));
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Replace with:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
header("Location:
".str_replace("&","&",base64_decode(treatGet($_GET['redir']))));
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Find at around line 74:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$login->assign("VAL_SELF",$_GET['redir']);
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Replace with:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$login->assign("VAL_SELF",treatGet($_GET['redir']));
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Save, close and upload this file.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
///////////////////////////////////////
// 3. Open: /includes/boxes/searchForm.inc.php
////////
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Find at around line 40:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$box_content->assign("SEARCHSTR",$_GET['searchStr']);
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Replace with:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$box_content->assign("SEARCHSTR",treatGet($_GET['searchStr']));
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Save, close and upload this file.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
///////////////////////////////////////
// 4. Open: /includes/content/viewCat.inc.php
////////
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Find at around line 108:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$searchwords = split ( "[ ,]", $_GET['searchStr']);
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Replace with:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$searchwords = split ( "[ ,]", treatGet($_GET['searchStr']));
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Find at around line 308:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$view_cat->assign("TXT_NO_PRODUCTS",$lang['front']['viewCat']['no_products_match']."
".$_GET['searchStr']);
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Replace with:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$view_cat->assign("TXT_NO_PRODUCTS",$lang['front']['viewCat']['no_products_match']."
".treatGet($_GET['searchStr']));
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Save, close and upload this file.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
///////////////////////////////////////
// 5. Open: /includes/functions.inc.php
////////
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
At around line 25 find:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| functions.inc.php
| ========================================
| Core Frontend Functions
+--------------------------------------------------------------------------
*/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Directly under this add:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
//////////////////////////////////
// treat GET vars stop XSS
////////
function treatGet($text){
$text = preg_replace("/(\<script)(.*?)(script>)/si", "", "$text");
$text = strip_tags($text);
$text = str_replace(array("'","\"",">","<","\\"), "", $text);
return $text;
}
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
At around line 384 find:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
function currentPage(){
$currentPage = $_SERVER['PHP_SELF'];
if (isset($_SERVER['QUERY_STRING'])) {
$currentPage .= "?" . htmlentities($_SERVER['QUERY_STRING']);
}
return $currentPage;
}
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Replace this with:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
function currentPage(){
$currentPage = $_SERVER['PHP_SELF'];
if (isset($_SERVER['QUERY_STRING'])) {
$currentPage .= "?" . htmlentities(treatGet($_SERVER['QUERY_STRING']));
}
return $currentPage;
}
///////////////////////////////////////
// 6. Open: /includes/ini.inc.php
////////
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Find at around line 108:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$ini['ver'] = '3.0.3';
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Replace with:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$ini['ver'] = '3.0.4';
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Save, close and upload this file.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
// end of manual fix :O)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
##################### nd ########################
Thnx to estrella to be my ligth
Thnx to all manglers of http://www.osvdb.org
--
atentamente:
Lostmon ([email protected])
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
29 Sep 2005 00:00Current
7.4High risk
Vulners AI Score7.4