OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: ppp-design (securityppp-design.de)
Date: Sat Apr 13 2002 - 04:19:01 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    ppp-design found the following cross-site-scripting bug in SunShop
    Shopping Cart:

    Details
    - -------
    Product: SunShop Shopping Cart
    Version: 2.5 and maybe all versions before
    OS affected: all OS with php and mysql
    Vendor-URL: http://www.turnkeywebtools.com
    Vendor-Status: informed, patched
    Security-Risk: high - very high
    Remote-Exploit: Yes

    Introduction
    - ------------
    SunShop is a php/mysql based shopping system. Because it is a commercial
    solution ($99.99) we could not have a look into the source code. All
    impacts are tested in a demo shop on their website. SunShop is suffering
    a cross-site-scripting bug because none of the user inputs seems to be
    checked for malicious code.

    More details
    - ------------
    When registering as a new customer, none of the inputs is checked for
    malicious code. So a possible blackhat is able to insert some javascript
    stuff here, that is executed everytime the admin takes a look at the
    customer listing in the admin area, which is protected by http
    authentication. Together with some document.location.href stuff the
    blackhat is now able to redirect the admin to any page in the admin
    area. Because the admin is allready authenticated, the blackhat does not
    need to have the admin's password. The redirection makes it possible to
    do everything the admin can do, eg. generating new coupons.

    Proof-of-concept
    - ----------------
    Enter the following name when registering as a new customer:

    blackhat<script>alert('ouch')</script>

    When the admin takes a look into his customer listing, the javascript
    code gets executed. Together with some more document.location.href the
    blackhat is able to do anything the admin can.

    Temporary fix
    - -------------
    We do not have the source code, so we cannot suggest any temporary fix.

    Fix
    - ---
    Use the latest version.

    Security-Risk
    - -------------
    Because a possible blackhat could nearly control the whole shop we rate
    the security risk high - very high.

    Vendor status
    - -------------
    We have informed the vendor and he reacted very quickly. According to
    his statement the bug is now fixed.

    Disclaimer
    - ----------
    All information that can be found in this advisory is believed to be
    true, but maybe it isn't. ppp-design can not be held responsible for the
    use or missuse of this information. Redistribution of this text is only
    permitted if the text has not been altered and the original author
    ppp-design (http://www.ppp-design.de) is mentioned.

    This advisory can be found online at:
    http://www.ppp-design.de/advisories.php

    - --
    ppp-design
    http://www.ppp-design.de
    Public-Key: http://www.ppp-design.de/pgp/ppp-design.asc
    Fingerprint: 5B02 0AD7 A176 3A4F CE22 745D 0D78 7B60 B3B5 451A
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (GNU/Linux)
    Comment: Weitere Infos: siehe http://www.gnupg.org

    iD8DBQE8t/gFDXh7YLO1RRoRAk/dAKDHX5fWvI3hNGy8J/1L1xYg+OsevwCfcZPo
    ycgsyRswKpqPSGOreISZw1k=
    =qEN8
    -----END PGP SIGNATURE-----