bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/7628.txt
Offensive Security 477bcbdcc0 DB: 2016-03-17 
5 new exploits

phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit
phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities

My Book World Edition NAS Multiple Vulnerability
My Book World Edition NAS - Multiple Vulnerabilities

Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL
Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities

cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability
cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities

DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php)
DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities

Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability
Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities

N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability
N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities

New-CMS - Multiple Vulnerability
New-CMS - Multiple Vulnerabilities

Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability
Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities

JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability
JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities

i-Gallery - Multiple Vulnerability
i-Gallery - Multiple Vulnerabilities

My Kazaam Notes Management System Multiple Vulnerability
My Kazaam Notes Management System - Multiple Vulnerabilities

Omnidocs - Multiple Vulnerability
Omnidocs - Multiple Vulnerabilities

Web Cookbook Multiple Vulnerability
Web Cookbook - Multiple Vulnerabilities

KikChat - (LFI/RCE) Multiple Vulnerability
KikChat - (LFI/RCE) Multiple Vulnerabilities

Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability
Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability

xEpan 1.0.4 - Multiple Vulnerability
xEpan 1.0.4 - Multiple Vulnerabilities
AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection
Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow
Cisco UCS Manager 2.1(1b) - Shellshock Exploit
OpenSSH <= 7.2p1 - xauth Injection
FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
2016-03-17 07:07:56 +00:00

111 lines
5 KiB
Text
Executable file
Raw Blame History

===============================================================
!vuln
ViArt Shopping Cart v3.5 is prone to multiple remote
vulnerabilities. Earlier versions may also be affected.
===============================================================
===============================================================
!dork
Dork: intext:"Free Ecommerce Shopping Cart Software by ViArt" +"Your shopping cart is empty!" + "Products Search" +"Advanced Search" + "All Categories"
===============================================================
===============================================================
!risk 1 - Full Path Disclosure
Low
Attackers can use this vulnerability to leverage another attack
after the full path has been disclosed.
===============================================================
===============================================================
!discussion 1 - Full Path Disclosure
The server will give an error when any URL real/imaginary is
passed to the POST_DATA parameter:
http://www.victim.com/manuals_search.php?POST_DATA=http://site-that-does-not-exist.com
A remote user is able to identify the full path of the document
root folder.
===============================================================
===============================================================
!risk 2 - Information Disclosure
Medium
The table names can be further leveraged for a SQL injection if
one exists.
===============================================================
===============================================================
!discussion 2 - Information Disclosure
When a user is not signed in, the tables are shown to the
attacker via an error, because the PHP form fails to properly
sanitize user_id since the user is not logged in.
The attacker must first try to add a product to the cart and
then save the shopping cart for the tables to be revealed by
browsing to: http://www.victim.com/cart_save.php
===============================================================
===============================================================
!risk 3 - Arbitrary Code Injection
High
Attackers can use this vulnerability to execute arbitrary code
on a legitimate user.
===============================================================
===============================================================
!discussion 3 - Arbitrary Code Injection
The attacker is able to create shopping carts with
HTML/Javascript injected code such as:
http://www.victim.com/cart_save.php?operation=save&rnd=&rp=products.php&cart_name=<html><a href="http://www.google.com">Google</a></html>
http://www.victim.com/cart_save.php?operation=save&rnd=&rp=products.php&cart_name=<html><script>alert("VULN");</script></html>
http://www.victim.com/cart_save.php?operation=save&rnd=&rp=products.php&cart_name=<html><script>window.location="http://malicious-site.com";</script></html>
Then when the user visits "My Saved Carts" at
http://victim.com/user_carts.php the code is executed:
Example 1 would give a link to the Google search engine.
Example 2 would give a javascript alert popup displaying "VULN".
Example 3 would send the user to a malicious site.
Note: manuals_search.php is also vulnerable to the same
HTML/Javascript vulnerability that allows for arbitrary code to
be executed:
http://www.victim.com/manuals_search.php?manuals_search=<html><script>window.location="http://malicious-site.com";</script></html>
A remote user is able to identify the full path of the document
root folder.
===============================================================
===============================================================
!extras
The Cart name is all that needs to be guessed/brute-forced for
an attacker to gain entry to the shopping cart. As the cart-id
increments from 1 upwards. This does not require any user-login
from the attacker.
An attacker could also overload the server with a ton of
shopping carts by constantly refreshing cart_save.php to create
multiple shopping cart ID's.
===============================================================
===============================================================
!solution
ViArt Shopping Cart can still be used, but be wary of the full
path disclosure and make sure no SQL injections can take place
once an attacker knows the table names. Alert users that they
should be wary of which links they click on as an attacker
could redirect them to a malicious site. The overloading of
cart_save.php can be solved by placing IP-bans on attackers.
There is no solution to the brute-force guessing of cart names.
The vendor has not yet been notified.
===============================================================
===============================================================
!greetz
Greetz go out to the people who know me.
===============================================================
===============================================================
!author
Xia Shing Zee
===============================================================
# milw0rm.com [2009-01-01]
Reference in a new issue View git blame Copy permalink