Latest YouTube Video

Friday, November 6, 2015

[FD] Quick.Cart 6.6: Multiple XSS

Security Advisory - Curesec Research Team 1. Introduction Affected Product: Quick.Cart 6.6 Fixed in: not fixed Fixed Version Link: n/a Vendor Contact: info@opensolution.org Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 09/07/2015 Disclosed to public: 10/07/2015 Release mode: Coordinated release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Description Quick.Cart 6.6 is vulnerable to multiple reflected XSS attacks. With this, it is possible to inject JavaScript keylogger or perform phishing attacks. The vulnerabilities are all in the admin.php file. To add security through obscurity, Quick.Cart does suggest to rename this file, which would make it more difficult to exploit these vulnerabilities. The renaming is not mandatory. The vulnerabilities detailed below depend on the fact that the main entry points for users and admins contains a call to extract: index.php extract( $_GET ); admin.php extract( $_GET ); With this, it is possible to overwrite or set any variable. Because of this, it is not considered best-practice to pass user input to extract. The SESSION variable can not be set by an attacker, because session_start is called after extract, but variables such as SERVER or COOKIE and undefined variables can be set. This call also makes it possible to send POST requests via GET, making the exploitation of for example CSRF easier. It may have further negative effects as well. 3. Details XSS 1 Proof of Concept: http://localhost/ecommerce/Quick.Cart_v6.6/admin.php?p=orders-list&iStatus=">http://localhost/ecommerce/Quick.Cart_v6.6/admin.php?p=orders-list&iProducts=">Code: templates/admin/orders.php
XSS 2 Proof of Concept: http://localhost/ecommerce/Quick.Cart_v6.6/admin.php?p=lang-translations&sLanguage= Code: templates/admin/languages.php

XSS 3 Proof of Concept: http://localhost/ecommerce/Quick.Cart_v6.6/admin.php?_COOKIE[sLogin]=" autofocus onfocus="alert('xss') Code: common-admin.php $content = '
'; XSS 4 Proof of Concept: http://localhost/ecommerce/Quick.Cart_v6.6/admin.php?_SERVER[HTTP_HOST]=">&_SERVER[SCRIPT_FILENAME]=/var/www/ecommerce/Quick.Cart_v6.6/admin.php Please note that the SCRIPT_FILENAME must be set correctly, as it's used as the name of the session key and overwriting one SERVER value leads to the deletion of all other SERVER values. Code: core/libraries/trash.php $GLOBALS['lang']['Language'] .= ''; 4. Solution This issue was not fixed by the vendor. 5. Report Timeline 09/07/2015 Informed Vendor about Issue 10/01/2015 Reminded Vendor of release date 10/01/2015 Vendor does not plan on releasing a fix, because the optional rename of the admin file may mitigate this issue already 10/07/2015 Disclosed to public Blog Reference: http://ift.tt/1PfEylX

Source: Gmail -> IFTTT-> Blogger

No comments: