CubeCart 6.0.7 Cross Site Scripting
Posted on 09 November 2015
Security Advisory - Curesec Research Team 1. Introduction Affected Product: CubeCart 6.0.7 Fixed in: 6.0.8 Fixed Version Link: https://www.cubecart.com/thank-you/CubeCart-6.0.8.zip Vendor Contact: sales@cubecart.com Vulnerability Type: XSS Remote Exploitable: Yes Reported to vendor: 09/07/2015 Disclosed to public: 10/07/2015 Release mode: Coordinated release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Reflected XSS Description The search echoes a keyword it retrieves via GET inside HTML tags. It removes HTML tags from the keyword, but it does not encode quotes, which makes it possible to break out of the context of the current attribute and add new attributes. An attacker can use attributes such as onmouseover to execute JavaScript. To execute the code, the victim needs to hover over the title image, which an attacker may for example achieve via ClickJacking. Proof of Concept http://localhost/ecommerce/CubeCart-6.0.6/search.html?search[keywords]=" onmouseover="alert('xsstest')" foo="&_a=category 3. Persistent XSS Description The page to edit user-submitted reviews echoes user input inside HTML input tags without encoding quotes, which makes it possible to break out of the context of the current attribute and add new attributes. An attacker can use attributes such as onfocus to execute JavaScript. In combination with autofocus, a victim does not need to actually interact with the input field for the code to execute. Proof of Concept 1. Write a review here: http://localhost/ecommerce/CubeCart-6.0.6/ test-category/test-product.html#reviews_write 2. use as name or title: " autofocus onfocus="alert(1)" foo=" 3. Visit the review-edit site: http://localhost/ecommerce/CubeCart-6.0.6/ admin.php?_g=products&node=reviews&edit=REVIEWID 4. Solution To mitigate this issue please upgrade at least to version 6.0.8: https://www.cubecart.com/thank-you/CubeCart-6.0.8.zip Please note that a newer version might already be available. 5. Report Timeline 09/07/2015 Informed Vendor about Issue 10/05/2015 Vendor releases fix 10/07/2015 Disclosed to public Blog Reference: http://blog.curesec.com/article/blog/CubeCart-607-XSS-71.html