![[LWN Logo]](/images/lcorner.png)
![[LWN.net]](/images/Included.png)
|
|
|
|
From: ppp-design <security@ppp-design.de> To: bugtraq@securityfocus.com Subject: CaupoShop: cross-site-scripting bug Date: Mon, 11 Mar 2002 12:33:37 +0100 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ppp-design found the following cross-site-scripting bug in CaupoShop (and probably in CaupoShopPro): Details - ------- Product: CaupoShop (and probably CaupoShopPro) Version: 1.30a (CaupoShop) and maybe all versions before OS affected: all OS with php and mysql Vendor-URL: www.caupo.com, www.caupo.de, www.caupo.ch, www.kirgis.net Vendor-Status: informed Security-Risk: high - very high Remote-Exploit: Yes Introduction - ------------ CaupoShop is a php/mysql based shopping system for the web. CaupoShopPro is the same shop with some enhanced features. Allthough the software is really widespreaded, it suffers from a cross-site-scripting bug, which leads to disclosure of shipping information of other users (which can include creditcard details). It is also possible to add/change/delete articles in the shop (eg. changing prices). More details - ------------ When registering as a new customer, none of the inputs is checked for malicious code. So a possible blackhat is able to insert some javascript stuff here, which is executed everytime the admin takes a look at the customer listing in the admin area, which is protected by http authentication. Together with some document.location.href stuff the blackhat is now able to redirect the admin to any page in the admin area. Because the admin is allready authenticated, the blackhat does not need to have the admin's password. The redirection makes it possible to do everything the admin can do, eg. changing user passwords or articles. Proof-of-concept - ---------------- We will give two proof-of-concepts here: The first will change an existing user record to a new emailaddress (which is used as the login name) and a new password, so it is possible for the blackhat to log in as this user and see the shipping details the user has entered before, which can include valid creditcard numbers. When registering as a new user, enter the following in the message field, wich is the largest field (indeed you can use any of the fields) (one line): <script>document.location.href="http://example.com/caupo/admin/ admin_workspace.php?id=X&svTable=csc_customer&bEdit=1&bNew=1 &saField[password]=newpass&saField[email]=blackhat@example.com& btnEdit=1"</script> You have to substitute the X with a valid id of an user. This is really easy to guess, because this id is a normal integer counting up from 1, so you can just choose any number between 1 and the number of guessed customers the shop has. The second proof of concept is deleting an existing article and works really the same way. You can easy get the article id out of the shop's html code, in this example we will use the article id 1. Again registering a new user and this times using the follwing in the message field (one line): <script>document.location.href="http://example.com/caupo/admin/ admin_workspace.php?id=1&svTable=csc_article&svDel=YES&btnEdit=1</script> This will delete the article with id 1 next time the admin takes a look at his customer listing. Of course these two examples are easy to get aware of by an admin, because when taking a look at his customer listing, he ends up in an infinite loop (proof-of-concept 1), or he gets a listing of his articles instead of his customers. So he will realize really fast something strange is happening. But together with some more scripting, you can hide from his eyes for a longer time. Temporary-fix - ------------- Admins could disable Javascript but because there are still other possiblilities to enter malicious code, this will only stop these proof-of-concepts from working. Fix - --- Use at least CaupoShop v1.30 rc4 (2002-03-09). Security-Risk - ------------- Because a possible blackhat could nearly control the whole shop and because of the disclosure of creditcard numbers and addresses of shop users we rate the security risk high - very high. Vendor status - ------------- Vendor has released a new version, which filters htmltags using strip_tags(). Disclaimer - ---------- All information that can be found in this advisory is believed to be true, but maybe it isn't. ppp-design can not be held responsible for the use or missuse of this information. Redistribution of this text is only permitted if the text has not been altered and the original author ppp-design (http://www.ppp-design.de) ist mentioned. This advisory can be found online at: http://www.ppp-design.de/advisories_show.php? adv=cauposhop__cross-site-scripting_bug.txt - -- ppp-design http://www.ppp-design.de Public-Key: http://www.ppp-design.de/pgp/ppp-design.asc Fingerprint: 5B02 0AD7 A176 3A4F CE22 745D 0D78 7B60 B3B5 451A -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Weitere Infos: siehe http://www.gnupg.org iD8DBQE8jJYQDXh7YLO1RRoRAok/AKDXFoa8qWSfVZSbiVQgDUpDjCCnsQCeITuB W/AZqmSxRBx2qZmrw+LqJyQ= =5lp8 -----END PGP SIGNATURE-----