########################################### DHCart Multiple variable XSS and stored XSS Vendor URL:http://www.dhcart.com/ Advisore:http://lostmon.blogspot.com/ 2008/11/dhcart-multiple-variable-xss-and-stored.html vendor notify:YES Exploit:YES Patch:YES ########################################### DHCart is a PHP based application that provides a simple to use shopping cart for users purchasing domain names and hosting services. DHCart 3.84 is prone vulnerable to Cross site scripting and stored cross-site scripting. see this PoC http://Victim/order.php?dhaction=check&submit_domain= Register&domain=%22%3E%3Cscript%3Ealert%28%29%3C%2F script%3E&ext1=on or http://Victim/order.php?dhaction=add&d1=lalalalasss %22%3E%3Cscript%3Ealert(1)%3C/script%3E&x1=.com&r1= 0&h1=1&addtocart1=on&n=3 in this case the xss is exploitable via url , and it's stored in the cart, wen the users goes to look his cart the xss is executed again (stored XSS) Vulnerable code: arround line 93 in config.php file we found: if (!empty($HTTP_GET_VARS)) while(list($name, $value) = each($HTTP_GET_VARS)) $$name = $value; this is vulnerable because $value is returned to the users without sanitize. i have fully pached ... add a function to filter variables and apply this filter to $value variable. /////////////////////////////////////////////////////////////////////////// // Code below this point should not need modifying. Do so at your own risk! /////////////////////////////////////////////////////////////////////////// function StopXSS($text) { if(!is_array($text)) { $text = preg_replace("/\(\)/si", "", $text); $text = strip_tags($text); $text = str_replace(array("'","\"",">","<","\\"), "", $text); } else { foreach($text as $k=>$t) { $t = preg_replace("/\(\)/si", "", $t); $t = strip_tags($t); $t = str_replace(array("'","\"",">","<","\\"), "", $t); $text[$k] = $t; } } return $text; } if (!empty($HTTP_GET_VARS)) while(list($name, $value) = each($HTTP_GET_VARS)) $$name = StopXSS($value); ######################€nd################## -- Thnx to estrella to be my ligth Thnx To FalconDeOro for his support Thnx To Imydes From http://www.imydes.com Thnx To Climbo -- atentamente: Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ Google group: http://groups.google.com/group/lostmon (new) -- La curiosidad es lo que hace mover la mente....