CubeCart™ 3.0.3 multiple variable Cross site scripting

Wednesday, September 28, 2005
################################################
CubeCart™ 3.0.3 multiple variable Cross site scripting
Vendor url: www.cubecart.com
bug report:http://bugs.cubecart.com/?do=details&id=363
Advisore:http://lostmon.blogspot.com/2005/09/
cubecart-303-multiple-variable-cross.html
vendor confirmed: yes exploit avalable: yes
Fix available: yes
OSVDB ID:19860,>19861
Securitytracker:1014984
BID:14962
################################################

CubeCart contains a flaw that allows a remote cross site scripting
attack.This flaw exists because the application does not validate
some variables upon submission to cart.php and index.php scripts.
This could allow a user to create a specially crafted URL that
would execute arbitrary code in a user's browser within the trust
relationship between the browser and the server,leading to a
loss of integrity.

###############
VERSIONS
###############

CubeCart™ 3.0.3 vulnerable
CubeCart™ 3.0.4 not vulnerable

#################
Timeline
#################

Discovered: 24 sep 2005
vendor notify: 24 sep 2005
Vendor response:26 sep 2005
Solution: 28 sep 2005
Disclosure:24 sep 2005
Public disclosure: 28 sep 2005

###############
Examples:
###############

http://victim]/cc3/cart.php?act=reg&redir=L3NpdGUvZGVt
by9jYzMvaW5kZXgucGhwP3NlYXJjaFN0cj0lMjIlM0UlM0NzY3JpcH
QlM0VhbGVydCUyOCUyOSUzQyUyRnNjcmlwdCUzRSZhbXA7YWN0PXZpZ
XdDYXQmYW1wO1N1Ym1pdD1Hbw==[XSS-CODE]

http://[victim]/cc3/cart.php?act=reg&redir=[XSS-CODE]


http://[victim]cc3/index.php?searchStr=%3D%22%3E%3Cscript
%3Ealert%28document.cookie%29%3C%2Fscript%3E&act=viewCat
&Submit=Go

http://[victim]cc3/index.php?act=login&redir=L3NpdG
UvZGVtby9jYzMvaW5kZXgucGhwP2FjdD12aWV3RG9jJmFtcDtkb
2NJZD0x[XSS-CODE]

#############
SOLUTION
#############

The vendor has release a fix.
and the follow URI are available for download
the latest version of CubeCart.

http://www.cubecart.com/site/forums/index.php?download=222

Thnx to all CubeCart Tem , they make a very Good work !!!

################################################
MANUAL FIX
################################################
///////////////////////////////////////
// 1. Open: /includes/content/reg.inc.php
////////

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Find at around line 123:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

$redir = base64_decode($_GET['redir']);

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Replace with:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

$redir = base64_decode(treatGet($_GET['redir']));

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Find at around line 170:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

$reg->assign("VAL_ACTION","cart.php?act=reg&
redir=".$_GET['redir']);

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Replace with:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

$reg->assign("VAL_ACTION","cart.php?act=reg&
redir=".treatGet($_GET['redir']));

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Save, close and upload this file.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


///////////////////////////////////////
// 2. Open: /includes/content/login.inc.php
////////


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Find at around line 55:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

header("Location: ".str_replace("&","&",
base64_decode($_GET['redir'])));

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Replace with:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

header("Location: ".str_replace("&","&",
base64_decode(treatGet($_GET['redir']))));

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Find at around line 74:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

$login->assign("VAL_SELF",$_GET['redir']);

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Replace with:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

$login->assign("VAL_SELF",treatGet($_GET['redir']));

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Save, close and upload this file.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


///////////////////////////////////////
// 3. Open: /includes/boxes/searchForm.inc.php
////////

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Find at around line 40:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

$box_content->assign("SEARCHSTR",$_GET['searchStr']);

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Replace with:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

$box_content->assign("SEARCHSTR",treatGet($_GET['searchStr']));

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Save, close and upload this file.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


///////////////////////////////////////
// 4. Open: /includes/content/viewCat.inc.php
////////

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Find at around line 108:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

$searchwords = split ( "[ ,]", $_GET['searchStr']);

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Replace with:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

$searchwords = split ( "[ ,]", treatGet($_GET['searchStr']));

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Find at around line 308:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

$view_cat->assign("TXT_NO_PRODUCTS",$lang['front']['viewCat']['no_products_match']." ".$_GET['searchStr']);

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Replace with:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

$view_cat->assign("TXT_NO_PRODUCTS",$lang['front']['viewCat']['no_products_match']." ".treatGet($_GET['searchStr']));

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Save, close and upload this file.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


///////////////////////////////////////
// 5. Open: /includes/functions.inc.php
////////


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
At around line 25 find:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

| functions.inc.php
| ========================================
| Core Frontend Functions
+----------------------------------------------
*/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Directly under this add:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

//////////////////////////////////
// treat GET vars stop XSS
////////
function treatGet($text){

$text = preg_replace("/(\)/si", "", "$text");
$text = strip_tags($text);
$text = str_replace(array("'","\"",">","<","\\"), "", $text);
return $text;

}



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
At around line 384 find:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

function currentPage(){

$currentPage = $_SERVER['PHP_SELF'];

if (isset($_SERVER['QUERY_STRING'])) {

$currentPage .= "?" . htmlentities($_SERVER['QUERY_STRING']);

}

return $currentPage;

}


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Replace this with:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

function currentPage(){

$currentPage = $_SERVER['PHP_SELF'];

if (isset($_SERVER['QUERY_STRING'])) {

$currentPage .= "?" . htmlentities(treatGet($_SERVER['QUERY_STRING']));

}

return $currentPage;

}

///////////////////////////////////////
// 6. Open: /includes/ini.inc.php
////////

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Find at around line 108:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

$ini['ver'] = '3.0.3';

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Replace with:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

$ini['ver'] = '3.0.4';

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Save, close and upload this file.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
// end of manual fix :O)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

##################### €nd ########################

Thnx to estrella to be my ligth
Thnx to all manglers of http://www.osvdb.org

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....

Multiple variable XSS in Spymac Web Os v4.0

Sunday, September 18, 2005
UPDATE 20 sep 2005 :
VERSION AFECTED: Spymac v4

#########################################################
Multiple variable XSS in Spymac Web Os v4.0
vendor url:http://www.spymac.com/
Advisory:http://lostmon.blogspot.com/2005/09/
multiple-variable-xss-in-spymac-web-os.html
Vendor notified : yes exploit avaible : yes
OSVDB ID:19613
Securitytracker:1014928
#########################################################

Spymac is powered by an integrated collection of applications
(developed in-house)that together form "Spymac WOS". Spymac
WOS is an intelligent environment featuring patent-pending
technology that allows for the creation of an immersive and
visually-stunning Web experience.

Spymac flaw that allows a remote cross site scripting attack.
This flaw exists because the application does not validate some
variables upon submission to some scripts.This could allow a user
to create a specially crafted URL that would execute arbitrary
code in a user's browser within the trust relationship between the
browser and the server,leading to a loss of integrity.

############
version afected
############

Spymac web os v4
Spymac Web Os 3.0 beta 190

#########
Solution
#########

No solution was available at this time.

##########
timeline
##########

Discovered : 17 sep 2005
Vendor notify: 17 sep 2005
Vendor response:
Disclosure :17 sep 2005
Public disclosure:17 sep 2005


############
Examples
############

http://[victim]/forums/showthread.php?threadid=195681[XSS-CODE]

http://[victim]/forums/showthread.php?threadid=195805&postid=3579278[XSS-CODE]#post_3579278

http://[victim]/forums/showthread.php?threadid=195605&curr=0[XSS-CODE]

########################### €nd ############################

Thnx to estrella to be my ligth.
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....

Spymac Web os 4.0 variable XSS

Sunday, September 11, 2005
#######################################################
Spymac Web os 4.0 variable XSS
vendor url:http://www.spymac.com/
Advisory:http://lostmon.blogspot.com/2005/09/
spymac-web-os-40-variable-xss.html
Vendor notified : yes exploit avaible : yes
OSVDB ID: 19438
Securitytracker:1014883
########################################################

Spymac is powered by an integrated collection of applications
(developed in-house)that together form "Spymac WOS". Spymac
WOS is an intelligent environment featuring patent-pending
technology that allows for the creation of an immersive and
visually-stunning Web experience.

Spymac flaw that allows a remote cross site scripting attack.
This flaw exists because the application does not validate
'category' variable upon submission to 'index.php script.
This could allow a user to create a specially crafted URL
that would execute arbitrary code in a user's browser within
the trust relationship between the browser and the server,
leading to a loss of integrity.

############
version afected
############

Spymac Web Os 4.0

#########
Solution
#########

No solution at this time

##########
timeline
##########

Discovered : 10 sep 2005
Vendor notify: 10 sep 2005
Vendor response: 10 sep 2005
Disclosure : 10 sep 2005
Public disclosure: 11 sep 2005

############
Examples
############

http://[victim]/index.php?category=1%22%3E%3Cbody%3E%3Ch1%3ESe%20busca
%20H4x0r%3C/h1%3E%3Cp%3E%20es%20peligroso%20y%20va%20armado%3Cbr%3E%20
Lleva%20un%20portatil%20y%20un%20palm%20en%20las%20manos%3Cbr%3E%20si%
20le%20ven%20;%20no%20le%20proporcionen%20conexion%20a%20internet.%3C/p
%3E%3Cp%3E%3C/p%3E3Cimg20src=http://www.ttvn.com.vn/Uploaded/administrator/
hacker.jpg%3E%3Ch1%3EBy%20Lostmon%3C/h1%3E%3C/body%3E

############################# €nd ##########################

THnx To estrella to be my ligth...
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...