CubeCart Input Validation Bugs in 'cart.php' and 'index.php' Permit Cross-Site Scripting Attacks

2005.09.30
Credit: Lostmon
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2005-3152
CWE: N/A


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

################################################ CubeCart&#8482; 3.0.3 multiple variable Cross site scripting Vendor url: www.cubecart.com bug report:http://bugs.cubecart.com/?do=details&id=363 Advisore:http://lostmon.blogspot.com/2005/09/ cubecart-303-multiple-variable-cross.html vendor confirmed: yes exploit avalable: yes Fix available: yes ################################################ CubeCart contains a flaw that allows a remote cross site scripting attack.This flaw exists because the application does not validate some variables upon submission to cart.php and index.php script scripts.This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server,leading to a loss of integrity. ############### VERSIONS ############### CubeCart&#8482; 3.0.3 vulnerable CubeCart&#8482; 3.0.4 not vulnerable ################# Timeline ################# Discovered: 24 sep 2005 vendor notify: 24 sep 2005 Vendor response:26 sep 2005 Solution: 28 sep 2005 ############### Examples: ############### http://victim]/cc3/cart.php?act=reg&redir=L3NpdGUvZGVtby9jYzMvaW5kZXgucGhwP3NlYXJjaFN0cj0lMjIlM0U lM0NzY3JpcHQlM0VhbGVydCUyOCUyOSUzQyUyRnNjcmlwdCUzRSZhbXA7YWN0PXZpZXdDYXQmYW1wO1N1Ym1pdD1Hbw==[XSS-COD E] http://[victim]/cc3/cart.php?act=reg&redir=[XSS-CODE] http://[victim]cc3/index.php?searchStr=%3D%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E& act=viewCat&Submit=Go http://[victim]cc3/index.php?act=login&redir=L3NpdGUvZGVtby9jYzMvaW5kZXgucGhwP2FjdD12aWV3RG9jJmFt cDtkb2NJZD0x[XSS-CODE] ############# SOLUTION ############# ################################################ MANUAL FIX ################################################ /////////////////////////////////////// // 1. Open: /includes/content/reg.inc.php //////// ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Find at around line 123: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ $redir = base64_decode($_GET['redir']); ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Replace with: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ $redir = base64_decode(treatGet($_GET['redir'])); ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Find at around line 170: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ $reg->assign("VAL_ACTION","cart.php?act=reg&amp;redir=".$_GET['redir']); ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Replace with: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ $reg->assign("VAL_ACTION","cart.php?act=reg&amp;redir=".treatGet($_GET['re dir'])); ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Save, close and upload this file. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /////////////////////////////////////// // 2. Open: /includes/content/login.inc.php //////// ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Find at around line 55: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ header("Location: ".str_replace("&amp;","&",base64_decode($_GET ['redir']))); ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Replace with: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ header("Location: ".str_replace("&amp;","&",base64_decode(treatGet($_GET['redir'])))); ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Find at around line 74: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ $login->assign("VAL_SELF",$_GET['redir']); ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Replace with: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ $login->assign("VAL_SELF",treatGet($_GET['redir'])); ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Save, close and upload this file. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /////////////////////////////////////// // 3. Open: /includes/boxes/searchForm.inc.php //////// ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Find at around line 40: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ $box_content->assign("SEARCHSTR",$_GET['searchStr']); ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Replace with: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ $box_content->assign("SEARCHSTR",treatGet($_GET['searchStr'])); ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Save, close and upload this file. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /////////////////////////////////////// // 4. Open: /includes/content/viewCat.inc.php //////// ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Find at around line 108: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ $searchwords = split ( "[ ,]", $_GET['searchStr']); ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Replace with: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ $searchwords = split ( "[ ,]", treatGet($_GET['searchStr'])); ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Find at around line 308: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ $view_cat->assign("TXT_NO_PRODUCTS",$lang['front']['viewCat']['no_products_match']." ".$_GET['searchStr']); ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Replace with: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ $view_cat->assign("TXT_NO_PRODUCTS",$lang['front']['viewCat']['no_products_match']." ".treatGet($_GET['searchStr'])); ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Save, close and upload this file. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /////////////////////////////////////// // 5. Open: /includes/functions.inc.php //////// ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ At around line 25 find: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | functions.inc.php | ======================================== | Core Frontend Functions +-------------------------------------------------------------------------- */ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Directly under this add: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ////////////////////////////////// // treat GET vars stop XSS //////// function treatGet($text){ $text = preg_replace("/(\<script)(.*?)(script>)/si", "", "$text" ); $text = strip_tags($text); $text = str_replace(array("'","\"",">","<"," \\"), "", $text); return $text; } ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ At around line 384 find: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ function currentPage(){ $currentPage = $_SERVER['PHP_SELF']; if (isset($_SERVER['QUERY_STRING'])) { $currentPage .= "?" . htmlentities($_SERVER['QUERY_STRING']); } return $currentPage; } ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Replace this with: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ function currentPage(){ $currentPage = $_SERVER['PHP_SELF']; if (isset($_SERVER['QUERY_STRING'])) { $currentPage .= "?" . htmlentities(treatGet($_SERVER['QUERY_STRING'])); } return $currentPage; } /////////////////////////////////////// // 6. Open: /includes/ini.inc.php //////// ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Find at around line 108: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ $ini['ver'] = '3.0.3'; ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Replace with: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ $ini['ver'] = '3.0.4'; ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Save, close and upload this file. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ // end of manual fix :O) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ##################### &#8364;nd ######################## Thnx to estrella to be my ligth Thnx to all manglers of http://www.osvdb.org -- atentamente: Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ -- La curiosidad es lo que hace mover la mente....


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top