Advertisement






CubeCart Input Validation Bugs in 'cart.php' and 'index.php' Permit Cross-Site Scripting Attacks

CVE Category Price Severity
Not specified CWE-79 Not specified High
Author Risk Exploitation Type Date
Not specified High Remote 2005-10-06
CPE PURL
cpe:cpe:/a:cubecart:cubecart pkg:https://exploitalert.com/view-details/cubecart-input-validation-bugs-in-cart-php-and-index-php-permit-cross-site-scripting-attacks
CVSS EPSS EPSSP
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2005090029

Below is a copy:

################################################
CubeCart™ 3.0.3 multiple variable Cross site scripting
Vendor url: www.cubecart.com
bug report:http://bugs.cubecart.com/?do=details&id=363
Advisore:http://lostmon.blogspot.com/2005/09/
cubecart-303-multiple-variable-cross.html
vendor confirmed: yes exploit avalable: yes
Fix available: yes
################################################
 
CubeCart contains a flaw that allows a remote cross site scripting
attack.This flaw exists because the application does not validate some
variables upon submission to cart.php and index.php script
scripts.This could allow a user to create a specially crafted URL that
would execute arbitrary code in a user's browser within the trust
relationship between the browser and the server,leading to a loss of
integrity.
 
###############
VERSIONS
###############
CubeCart™ 3.0.3 vulnerable
CubeCart™ 3.0.4 not vulnerable
 
 
#################
Timeline
#################
 
Discovered: 24 sep 2005
vendor notify: 24 sep 2005
Vendor response:26 sep 2005
Solution: 28 sep 2005
 
###############
Examples:
###############
 
http://victim]/cc3/cart.php?act=reg&redir=L3NpdGUvZGVtby9jYzMvaW5kZXgucGhwP3NlYXJjaFN0cj0lMjIlM0U
lM0NzY3JpcHQlM0VhbGVydCUyOCUyOSUzQyUyRnNjcmlwdCUzRSZhbXA7YWN0PXZpZXdDYXQmYW1wO1N1Ym1pdD1Hbw==[XSS-COD
E]
 
http://[victim]/cc3/cart.php?act=reg&redir=[XSS-CODE]
 
 
http://[victim]cc3/index.php?searchStr=%3D%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&
act=viewCat&Submit=Go
 
http://[victim]cc3/index.php?act=login&redir=L3NpdGUvZGVtby9jYzMvaW5kZXgucGhwP2FjdD12aWV3RG9jJmFt
cDtkb2NJZD0x[XSS-CODE]
 
#############
SOLUTION
#############
 
################################################
MANUAL FIX
################################################
///////////////////////////////////////
// 1. Open: /includes/content/reg.inc.php
////////
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Find at around line 123:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
$redir = base64_decode($_GET['redir']);
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Replace with:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
$redir = base64_decode(treatGet($_GET['redir']));
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Find at around line 170:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
$reg->assign("VAL_ACTION","cart.php?act=reg&redir=".$_GET['redir']);
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Replace with:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
$reg->assign("VAL_ACTION","cart.php?act=reg&redir=".treatGet($_GET['re
dir']));
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Save, close and upload this file.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
///////////////////////////////////////
// 2. Open: /includes/content/login.inc.php
////////
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Find at around line 55:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
header("Location: ".str_replace("&","&",base64_decode($_GET
['redir'])));
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Replace with:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
header("Location:
".str_replace("&","&",base64_decode(treatGet($_GET['redir']))));

 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Find at around line 74:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
$login->assign("VAL_SELF",$_GET['redir']);
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Replace with:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
$login->assign("VAL_SELF",treatGet($_GET['redir']));
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Save, close and upload this file.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
///////////////////////////////////////
// 3. Open: /includes/boxes/searchForm.inc.php
////////
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Find at around line 40:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
$box_content->assign("SEARCHSTR",$_GET['searchStr']);
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Replace with:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
$box_content->assign("SEARCHSTR",treatGet($_GET['searchStr']));
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Save, close and upload this file.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
///////////////////////////////////////
// 4. Open: /includes/content/viewCat.inc.php
////////
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Find at around line 108:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
$searchwords = split ( "[ ,]", $_GET['searchStr']);
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Replace with:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
$searchwords = split ( "[ ,]", treatGet($_GET['searchStr']));
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Find at around line 308:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
$view_cat->assign("TXT_NO_PRODUCTS",$lang['front']['viewCat']['no_products_match']."

".$_GET['searchStr']);
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Replace with:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
$view_cat->assign("TXT_NO_PRODUCTS",$lang['front']['viewCat']['no_products_match']."

".treatGet($_GET['searchStr']));
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Save, close and upload this file.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
///////////////////////////////////////
// 5. Open: /includes/functions.inc.php
////////
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
At around line 25 find:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
|	functions.inc.php
|   ========================================
|	Core Frontend Functions	
+--------------------------------------------------------------------------
*/
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Directly under this add:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
//////////////////////////////////
// treat GET vars stop XSS
////////
function treatGet($text){
	
	$text = preg_replace("/(\<script)(.*?)(script>)/si", "", "$text"
);
	$text = strip_tags($text);
	$text = str_replace(array("'","\"",">","<","
\\"), "", $text);
	return $text;
	
}
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
At around line 384 find:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
function currentPage(){
	
	$currentPage = $_SERVER['PHP_SELF'];
	
	if (isset($_SERVER['QUERY_STRING'])) {
  	
		$currentPage .= "?" . htmlentities($_SERVER['QUERY_STRING']);
	
	}
	
	return $currentPage;
 
}
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Replace this with:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
function currentPage(){
	
	$currentPage = $_SERVER['PHP_SELF'];
	
	if (isset($_SERVER['QUERY_STRING'])) {
  	
		$currentPage .= "?" . htmlentities(treatGet($_SERVER['QUERY_STRING']));
	
	}
	
	return $currentPage;
 
}
 
///////////////////////////////////////
// 6. Open: /includes/ini.inc.php
////////
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Find at around line 108:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
$ini['ver'] = '3.0.3';
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Replace with:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
$ini['ver'] = '3.0.4';
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Save, close and upload this file.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
// end of manual fix :O)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
##################### &#8364;nd ########################
 
Thnx to estrella to be my ligth
Thnx to all manglers of http://www.osvdb.org
 
--
atentamente:
Lostmon ([email protected])
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum