[NEWS] CaupoShop Cross Site Scripting Bug
From: support@securiteam.comDate: 03/16/02
- Previous message: support@securiteam.com: "[NEWS] PHP FirstPost System Information Path Disclosure Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Sat, 16 Mar 2002 12:01:19 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
CaupoShop Cross Site Scripting Bug
------------------------------------------------------------------------
SUMMARY
CaupoShop is a php/mysql based shopping system for the web. CaupoShopPro
is the same shop with some enhanced features. The software is in
widespread use, however it suffers from a cross-site-scripting bug, which
leads to disclosure of shipping information of other users (this can
include credit card details). It is also possible to add/change/delete
articles in the shop (e.g. changing prices).
DETAILS
Vulnerable systems:
CaupoShop 1.30a and prior
Immune systems:
CaupoShop v1.30 rc4
When registering as a new customer, none of the inputs is checked for
malicious code. It is therefore possible for an attacker to insert some
JavaScript stuff here, which is executed every time the admin takes a look
at the customer listing in the admin area, which is protected by http
authentication. Together with some document.location.href stuff the
attacker is now able to redirect the admin to any page in the admin area.
Because the admin is already authenticated, the attacker does not need to
have the admin's password. The redirection makes it possible to do
everything the admin can do, e.g. changing user passwords or articles.
Proof-of-concept
We will give two proof-of-concepts here:
The first will change an existing user record to a new email address
(which is used as the login name) and a new password, so it is possible
for the attacker to log in as this user and see the shipping details the
user has entered before, which can include valid credit card numbers.
When registering as a new user, enter the following in one line, into the
message field (although you can use any of the fields):
<script>document.location.href="http://example.com/caupo/admin/
admin_workspace.php?id=X&svTable=csc_customer&bEdit=1&bNew=1
&saField[password]=newpass&saField[email]=blackhat@example.com&
btnEdit=1"</script>
You have to substitute the X with a valid id of an user. This is really
easy to guess, because this id is a normal integer counting up from 1, so
you can just choose any number between 1 and the number of guessed
customers the shop has.
The second proof of concept is deleting an existing article and works
really the same way. You can easy get the article id out of the shop's
html code, in this example we will use the article id 1.
Again registering a new user and this times using the following in the
message field (one line):
<script>document.location.href="http://example.com/caupo/admin/
admin_workspace.php?id=1&svTable=csc_article&svDel=YES&btnEdit=1</script>
This will delete the article with id 1 next time the admin takes a look at
his customer listing.
Of course these two examples are likely to be noticed by an admin, because
when taking a look at his customer listing, he ends up in an infinite loop
(proof-of-concept 1), or he gets a listing of his articles instead of his
customers. So he will realize really fast something strange is happening.
But together with some more scripting, you can hide from his eyes for a
longer time.
Workaround:
Admins could disable JavaScript but because there are still other
possibilities to enter malicious code, this will only stop these
proof-of-concepts from working.
Fix:
Upgrade to CaupoShop v1.30 rc4 (2002-03-09).
Impact:
Because a possible attacker could nearly control the whole shop and
because of the disclosure of credit card numbers and addresses of shop
users ppp-design has rated the security risk high - very high.
Vendor status:
The vendor has released a new version, which filters htmltags using
strip_tags().
ADDITIONAL INFORMATION
The information has been provided by <mailto:security@ppp-design.de>
ppp-design.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] PHP FirstPost System Information Path Disclosure Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
