174 lines
6.3 KiB
Text
Executable file
174 lines
6.3 KiB
Text
Executable file
Title:
|
|
======
|
|
Squirrelcart Cart Shop v3.3.4 - Multiple Web Vulnerabilities
|
|
|
|
|
|
Date:
|
|
=====
|
|
2012-06-04
|
|
|
|
|
|
References:
|
|
===========
|
|
http://www.vulnerability-lab.com/get_content.php?id=592
|
|
|
|
|
|
VL-ID:
|
|
=====
|
|
592
|
|
|
|
|
|
Common Vulnerability Scoring System:
|
|
====================================
|
|
3.5
|
|
|
|
|
|
Introduction:
|
|
=============
|
|
Squirrelcart PHP Shopping Cart software is a fully customizable, robust php shopping cart, designed with
|
|
the advanced developer and web novice in mind. If you are a web novice, you will appreciate its ease of
|
|
use, and the fact that Squirrelcart will generate the HTML for all of your store s pages based on the built
|
|
in templates provided. If you have a strong knowledge of HTML, you will appreciate the ability to make
|
|
Squirrelcart look and work the way YOU want it to. We ve provided the ability to move around all of its
|
|
components, completely change the look, and make it fit your specific needs.
|
|
|
|
(Copy of the Vendor Homepage: http://www.squirrelcart.com )
|
|
|
|
|
|
Abstract:
|
|
=========
|
|
Vulnerability Laboratory Research Team discovered multiple persistent web vulnerabilities in Squirrelcarts Shopping Content Management System v3.3.4.
|
|
|
|
|
|
Report-Timeline:
|
|
================
|
|
2012-06-04: Public or Non-Public Disclosure
|
|
|
|
|
|
Status:
|
|
========
|
|
Published
|
|
|
|
|
|
Exploitation-Technique:
|
|
=======================
|
|
Remote
|
|
|
|
|
|
Severity:
|
|
=========
|
|
Medium
|
|
|
|
|
|
Details:
|
|
========
|
|
Multiple persistent input validation vulnerabilities are detected in Squirrelcart Shopping v3.3.4 Content Management System.
|
|
The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent).
|
|
Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent)
|
|
context manipulation. Exploitation requires low user inter action & privileged user account. The persistent vulnerabilities
|
|
are located in the Discount Image > Document Edit Name module exception handling & the Location Hours of Operations day listing.
|
|
When a customer includes the malicious script code to the profile configuration settings the code is getting executed out
|
|
of the web application context when an administrator is processing to watch the listings.
|
|
|
|
Vulnerable Module(s):
|
|
[+] Group > Add Group or Customer > Detail > Image > Discount Image > Document Edit Name
|
|
[+] Location > Warehouse > Listing > Hours of Operation
|
|
|
|
|
|
Picture(s):
|
|
../1.png
|
|
../2.png
|
|
|
|
|
|
Proof of Concept:
|
|
=================
|
|
The persistent input validation vulnerabilities can be exploited by remote attacker or privileged user account with low
|
|
required user inter action. For demonstration or reproduce ...
|
|
|
|
Location - Warehouse - Listing - Hours of Operation
|
|
|
|
Review: Hours of Operation (https://127.0.0.1:80/squirrelcart/index.php?edit_records=x&selected_record_number=x&table=Locations)
|
|
|
|
<td class="field_td" style=""><div style="float: left;"><input id="Hours_Day_1" descriptor="Day(s)"
|
|
name="data[Locations][1][Hours_Day_1]" value=""><[PERSISTENT SCRIPT CODE];) <" style="width: 150px;" type="text">
|
|
</div>
|
|
|
|
|
|
Note: Information entered here will be shown on your contact page when the Contact module is installed.
|
|
For fields that you do not want to use, enter a blank value.
|
|
|
|
|
|
Affected:
|
|
https://127.0.0.1:80/squirrelcart/index.php?show_records=1&filter_on=1&qry=repeat
|
|
https://127.0.0.1:80/squirrelcart/index.php?qry=x
|
|
|
|
|
|
Reference(s):
|
|
../index.php2.htm
|
|
|
|
|
|
|
|
Group - Add Group or Customer - Detail - Image - Discount Image - Document Edit Name
|
|
|
|
Review: Exception Handling (https://127.0.0.1:80/squirrelcart/index.php?table=Groups&add_new_item=x)
|
|
|
|
<div style="padding-top: 12px;">
|
|
<div style="font-weight: bold; font-size: 14px; margin-bottom: 30px;">Error</div>
|
|
<div><b>Error: </b> /home/squirrel/public_html/demo4/sc_images/discounts/"><[PERSISTENT SCRIPT CODE]' <<br="
|
|
">Path specified for Discount Image is not an image!<br></div>
|
|
</div>
|
|
</fieldset>
|
|
</div>
|
|
</div><!-- Template file to show info box -->
|
|
<div id="0.89125900 1338658975" style="margin-left: auto; margin-right: auto; width: 400px; margin-top: 20px; display:block;"
|
|
align="center">
|
|
<div style="position: relative">
|
|
|
|
Error: /home/squirrel/public_html/[PATH]/sc_images/discounts/">
|
|
|
|
|
|
Reference(s):
|
|
../error1.htm
|
|
|
|
|
|
Risk:
|
|
=====
|
|
The security risk of the persistent input validation vulnerabilities are estimated as medium(+).
|
|
|
|
|
|
Credits:
|
|
========
|
|
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com)
|
|
|
|
|
|
Disclaimer:
|
|
===========
|
|
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
|
|
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
|
|
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
|
|
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
|
|
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
|
|
may not apply.
|
|
|
|
Domains: www.vulnerability-lab.com - www.vuln-lab.com
|
|
Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com
|
|
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com
|
|
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
|
|
|
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
|
|
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
|
|
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and
|
|
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
|
|
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.
|
|
|
|
Copyright ? 2012 Vulnerability-Lab
|
|
|
|
|
|
|
|
|
|
--
|
|
VULNERABILITY RESEARCH LABORATORY TEAM
|
|
Website: www.vulnerability-lab.com
|
|
Mail: research@vulnerability-lab.com
|
|
|
|
|