Document Title: =============== FoxyCart Bug Bounty #1 - Filter Bypass & Persistent Vulnerability References (Source): ==================== http://ift.tt/1V2pBF6 098bdc9b309783df65044c5abb690dafdd4bcd436c380ae68c924fe37e14b4e0 Release Date: ============= 2015-07-15 Vulnerability Laboratory ID (VL-ID): ==================================== 1451 Common Vulnerability Scoring System: ==================================== 3.4 Product & Service Introduction: =============================== Helping developers _add_ custom ecommerce without reinventing the wheel. (Copy of the Homepage: http://ift.tt/1RDAQo9 ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Core Research Team discovered a filter bypass issue and an application-side input validation vulnerability in the official FoxyCart web-application. Vulnerability Disclosure Timeline: ================================== 2015-03-05: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH) 2015-04-01: Vendor Notification (FoxyCart - Security Research Team) 2015-04-09: Vendor Response/Feedback (FoxyCart - Security Research Team) 2015-06-30: Vendor Fix/Patch ( (FoxyCart - Developer Team) 2015-07-15: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== FoxyCart LLC Product: FoxyCart - Web Application 2015 Q2 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ A persistent input validation mail encoding vulnerability has been discovered in the official FoxyCart company web-application. The issue allows remote attackers to inject own malicious web context to the application-side of a vulnerable module or function. The security vulnerability is located in the `comments` input field value of the `landing/white-glove-onboarding > Help Form` module. Remote attackers can exploit the issue to execute persistent malicious context in foxycart service mails. The injection takes place in the help contact form POST method request with the vulnerable comments input value. The execution of the script code occurs on the application-side in the email body context. Attackers are able to inject iframes, img sources with onload alert or other script code tags. The service does not encode the input and has also no input restriction. After the code has been saved during the registration the internal service takes the wrong encoded dbms entries and stream them back in a notification mail to the registered users inbox. The attacker is also able to include random email adresses to stream mails with malicious persistent context to random targets for phishing, spam and co. The code does not execute in the profile values that introduces to the manufacturer itself but in the attached comments value that becomes visible in the copy mail. The security risk of the persistent input validation web vulnerability in the mail encoding of the web-server is estimated as medium with a cvss (common vulnerability scoring system) count of 3.4. If the issue is existing in the main service values the other services can be affected by the issue too. Exploitation of the mail encoding and web-server validation vulnerability requires low or medium user interaction and no privileged customer application user account. Successful exploitation of the persistent mail encoding web vulnerability results in session hijacking, persistent phishing attacks, persistent redirects to external malicious source and persistent manipulation of affected or connected module context. Request Method(s): [+] POST Vulnerable Module(s): [+] landing/white-glove-onboarding > Help Form Vulnerable Parameter(s): [+] comments Affected Module(s): [+] We`ve received your email Proof of Concept (PoC): ======================= The persistent input validation web vulnerability can be exploited by remote attackers without privileged application user account and with low or medium user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. Manual steps to reproduce ... 1. Open the foxcart service 2. Surf to the vulnerable conatct form url 3. Inject random value to the inputs and inject to the comments your script code payload 4. Save the entry 5. Redirect via Refresh Referer to confirm the contact request 6. Check inbox of the contact mail input 7. The code executes in the comments body section 8. Successful reproduce of the vulnerability!
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment