172 lines
No EOL
6.1 KiB
Text
172 lines
No EOL
6.1 KiB
Text
Title:
|
||
======
|
||
Squirrelcart Cart Shop v3.3.4 - Multiple Web Vulnerabilities
|
||
|
||
|
||
Date:
|
||
=====
|
||
2012-06-04
|
||
|
||
|
||
References:
|
||
===========
|
||
http://www.vulnerability-lab.com/get_content.php?id=592
|
||
|
||
|
||
VL-ID:
|
||
=====
|
||
592
|
||
|
||
|
||
Common Vulnerability Scoring System:
|
||
====================================
|
||
3.5
|
||
|
||
|
||
Introduction:
|
||
=============
|
||
Squirrelcart PHP Shopping Cart software is a fully customizable, robust php shopping cart, designed with
|
||
the advanced developer and web novice in mind. If you are a web novice, you will appreciate its ease of
|
||
use, and the fact that Squirrelcart will generate the HTML for all of your store s pages based on the built
|
||
in templates provided. If you have a strong knowledge of HTML, you will appreciate the ability to make
|
||
Squirrelcart look and work the way YOU want it to. We ve provided the ability to move around all of its
|
||
components, completely change the look, and make it fit your specific needs.
|
||
|
||
(Copy of the Vendor Homepage: http://www.squirrelcart.com )
|
||
|
||
|
||
Abstract:
|
||
=========
|
||
Vulnerability Laboratory Research Team discovered multiple persistent web vulnerabilities in Squirrelcarts Shopping Content Management System v3.3.4.
|
||
|
||
|
||
Report-Timeline:
|
||
================
|
||
2012-06-04: Public or Non-Public Disclosure
|
||
|
||
|
||
Status:
|
||
========
|
||
Published
|
||
|
||
|
||
Exploitation-Technique:
|
||
=======================
|
||
Remote
|
||
|
||
|
||
Severity:
|
||
=========
|
||
Medium
|
||
|
||
|
||
Details:
|
||
========
|
||
Multiple persistent input validation vulnerabilities are detected in Squirrelcart Shopping v3.3.4 Content Management System.
|
||
The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent).
|
||
Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent)
|
||
context manipulation. Exploitation requires low user inter action & privileged user account. The persistent vulnerabilities
|
||
are located in the Discount Image > Document Edit Name module exception handling & the Location Hours of Operations day listing.
|
||
When a customer includes the malicious script code to the profile configuration settings the code is getting executed out
|
||
of the web application context when an administrator is processing to watch the listings.
|
||
|
||
Vulnerable Module(s):
|
||
[+] Group > Add Group or Customer > Detail > Image > Discount Image > Document Edit Name
|
||
[+] Location > Warehouse > Listing > Hours of Operation
|
||
|
||
|
||
Picture(s):
|
||
../1.png
|
||
../2.png
|
||
|
||
|
||
Proof of Concept:
|
||
=================
|
||
The persistent input validation vulnerabilities can be exploited by remote attacker or privileged user account with low
|
||
required user inter action. For demonstration or reproduce ...
|
||
|
||
Location - Warehouse - Listing - Hours of Operation
|
||
|
||
Review: Hours of Operation (https://127.0.0.1:80/squirrelcart/index.php?edit_records=x&selected_record_number=x&table=Locations)
|
||
|
||
<td class="field_td" style=""><div style="float: left;"><input id="Hours_Day_1" descriptor="Day(s)"
|
||
name="data[Locations][1][Hours_Day_1]" value=""><[PERSISTENT SCRIPT CODE];) <" style="width: 150px;" type="text">
|
||
</div>
|
||
|
||
|
||
Note: Information entered here will be shown on your contact page when the Contact module is installed.
|
||
For fields that you do not want to use, enter a blank value.
|
||
|
||
|
||
Affected:
|
||
https://127.0.0.1:80/squirrelcart/index.php?show_records=1&filter_on=1&qry=repeat
|
||
https://127.0.0.1:80/squirrelcart/index.php?qry=x
|
||
|
||
|
||
Reference(s):
|
||
../index.php2.htm
|
||
|
||
|
||
|
||
Group - Add Group or Customer - Detail - Image - Discount Image - Document Edit Name
|
||
|
||
Review: Exception Handling (https://127.0.0.1:80/squirrelcart/index.php?table=Groups&add_new_item=x)
|
||
|
||
<div style="padding-top: 12px;">
|
||
<div style="font-weight: bold; font-size: 14px; margin-bottom: 30px;">Error</div>
|
||
<div><b>Error: </b> /home/squirrel/public_html/demo4/sc_images/discounts/"><[PERSISTENT SCRIPT CODE]' <<br="
|
||
">Path specified for Discount Image is not an image!<br></div>
|
||
</div>
|
||
</fieldset>
|
||
</div>
|
||
</div><!-- Template file to show info box -->
|
||
<div id="0.89125900 1338658975" style="margin-left: auto; margin-right: auto; width: 400px; margin-top: 20px; display:block;"
|
||
align="center">
|
||
<div style="position: relative">
|
||
|
||
Error: /home/squirrel/public_html/[PATH]/sc_images/discounts/">
|
||
|
||
|
||
Reference(s):
|
||
../error1.htm
|
||
|
||
|
||
Risk:
|
||
=====
|
||
The security risk of the persistent input validation vulnerabilities are estimated as medium(+).
|
||
|
||
|
||
Credits:
|
||
========
|
||
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com)
|
||
|
||
|
||
Disclaimer:
|
||
===========
|
||
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
|
||
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
|
||
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
|
||
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
|
||
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
|
||
may not apply.
|
||
|
||
Domains: www.vulnerability-lab.com - www.vuln-lab.com
|
||
Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com
|
||
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com
|
||
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
||
|
||
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
|
||
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
|
||
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and
|
||
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
|
||
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.
|
||
|
||
Copyright <20> 2012 Vulnerability-Lab
|
||
|
||
|
||
|
||
|
||
--
|
||
VULNERABILITY RESEARCH LABORATORY TEAM
|
||
Website: www.vulnerability-lab.com
|
||
Mail: research@vulnerability-lab.com |