Core Security Technologies Advisory 2010.0406

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
Core Security Technologies - CoreLabs Advisory  
http://corelabs.coresecurity.com/  
  
User Invoices Persistent XSS Vulnerability in CactuShop  
  
  
1. *Advisory Information*  
  
Title: User Invoices Persistent XSS Vulnerability in CactuShop  
Advisory Id: CORE-2010-0406  
Advisory URL:  
[http://www.coresecurity.com/content/cactushop-xss-persistent-vulnerability]  
Date published: 2010-04-20  
Date of last update: 2010-04-20  
Vendors contacted: Cactusoft International and Cactusoft Ltd.  
Release mode: Coordinated release  
  
  
2. *Vulnerability Information*  
  
Class: Cross site scripting [CWE-79]  
Impact: Code execution  
Remotely Exploitable: Yes  
Locally Exploitable: No  
CVE Name: CVE-2010-1486  
Bugtraq ID: 39587  
  
  
3. *Vulnerability Description*  
  
CactuShop [http://www.cactushop.com] is an ASP shopping cart designed  
to provide a powerful base for e-commerce web sites hosted on  
Microsoft Windows web servers. A Cross Site Scripting (XSS)  
vulnerability has been discovered in CactuShop. This vulnerability  
occurs in the file that processes the user invoices ('_invoice.asp').  
A malicious user can abuse of this flaw by requesting for an invoice  
and thus tricking an admin user into issuing him an invoice.  
  
  
4. *Vulnerable packages*  
  
. CactuShop v6.1.  
. Older versions are probably affected too, but they were not checked.  
  
  
5. *Non-vulnerable packages*  
  
. CactuShop v6.155.  
  
  
6. *Vendor Information, Solutions and Workarounds*  
  
The change made to the file '_invoice.asp' was to use the 'WriteSafe'  
function on lines 88 and 100:  
  
/-----  
87 ...  
88 O_BillingAddress = WriteSafe(replace(O_BillingAddress, vbcrlf &  
vbcrlf, vbcrlf))  
  
99 ...   
100 O_ShippingAddress = WriteSafe(replace(O_ShippingAddress, vbcrlf &  
vbcrlf, vbcrlf))   
  
- -----/  
This function HTML encodes any code an attacker might try to insert  
into the addresses to be run. This patch was applied to CactuShop v6.155.  
  
  
7. *Credits*  
  
This vulnerability was discovered and researched by 7Safe  
[http://www.7safe.com/].  
  
  
8. *Technical Description / Proof of Concept Code*  
  
A Cross Site Scripting vulnerability has been discovered in the file  
that processes the user invoices: '_invoice.asp'. This occurs when a  
user with a malicious billing address  
('"/><script>alert(1);</script>') requests for an invoice and could  
thus trick an admin user into issuing him an invoice.  
  
  
9. *Report Timeline*  
  
. 2010-04-06:  
Core Security Technologies notifies the CactuShop team two  
vulnerabilities in their software, a XSS vulnerability and a  
SQL-Injection vulnerability. April 19th, 2010, is proposed as a  
release date.  
  
. 2010-04-07:  
The CactuShop team asks Core for a technical description of the  
vulnerabilities.  
  
. 2010-04-07:  
Technical details sent to CactuShop team by Core.  
  
. 2010-04-08:  
The CactuShop team confirms the XSS vulnerability but notifies they do  
not think the SQL-Injection belongs to CactuShop code; it looks like  
it may be a customer modification.  
  
. 2010-04-09:  
Core agrees the code with the SQL-Injection vulnerability will be  
probably a customer modification.  
  
. 2010-04-12:  
CactuShop team notifies they addresses the XSS problem and will make  
the patch available for registered users from CactuShop website. The  
release version of CactuShop will be v6.155.  
  
. 2010-04-19:  
Core notifies the advisory will be released tomorrow (2010-04-20).  
  
. 2010-04-20:  
The advisory CORE-2010-0406 is published.  
  
  
10. *About CoreLabs*  
  
CoreLabs, the research center of Core Security Technologies, is  
charged with anticipating the future needs and requirements for  
information security technologies. We conduct our research in several  
important areas of computer security including system vulnerabilities,  
cyber attack planning and simulation, source code auditing, and  
cryptography. Our results include problem formalization,  
identification of vulnerabilities, novel solutions and prototypes for  
new technologies. CoreLabs regularly publishes security advisories,  
technical papers, project information and shared software tools for  
public use at: [http://corelabs.coresecurity.com/].  
  
  
11. *About Core Security Technologies*  
  
Core Security Technologies develops strategic solutions that help  
security-conscious organizations worldwide develop and maintain a  
proactive process for securing their networks. The company's flagship  
product, CORE IMPACT, is the most comprehensive product for performing  
enterprise security assurance testing. CORE IMPACT evaluates network,  
endpoint and end-user vulnerabilities and identifies what resources  
are exposed. It enables organizations to determine if current security  
investments are detecting and preventing attacks. Core Security  
Technologies augments its leading technology solution with world-class  
security consulting services, including penetration testing and  
software security auditing. Based in Boston, MA and Buenos Aires,  
Argentina, Core Security Technologies can be reached at 617-399-6980  
or on the Web at [http://www.coresecurity.com].  
  
  
12. *Disclaimer*  
  
The contents of this advisory are copyright (c) 2010 Core Security  
Technologies and (c) 2010 CoreLabs, and may be distributed freely  
provided that no fee is charged for this distribution and proper  
credit is given.  
  
  
13. *PGP/GPG Keys*  
  
This advisory has been signed with the GPG key of Core Security  
Technologies advisories team, which is available for download at  
[http://www.coresecurity.com/files/attachments/core_security_advisories.asc].  
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.8 (MingW32)  
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/  
  
iEYEARECAAYFAkvOE+EACgkQyNibggitWa25twCdEfdylGmZa3pvpBuGjhD9d1iu  
CBsAnjctGklHyy8HpjwW6hxZy4eFDXpl  
=7dM0  
-----END PGP SIGNATURE-----  
`