| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 03 Nov 2015 11:56:12 +0100
From: "Curesec Research Team (CRT)" <crt@...esec.com>
To: fulldisclosure@...lists.org
Subject: [FD] CubeCart 6.0.7: XSS
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: CubeCart 6.0.7
Fixed in: 6.0.8
Fixed Version Link: https://www.cubecart.com/thank-you/CubeCart-6.0.8.zip
Vendor Contact: sales@...ecart.com
Vulnerability Type: XSS
Remote Exploitable: Yes
Reported to vendor: 09/07/2015
Disclosed to public: 10/07/2015
Release mode: Coordinated release
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Reflected XSS
Description
The search echoes a keyword it retrieves via GET inside HTML tags. It removes
HTML tags from the keyword, but it does not encode quotes, which makes it
possible to break out of the context of the current attribute and add new
attributes. An attacker can use attributes such as onmouseover to execute
JavaScript.
To execute the code, the victim needs to hover over the title image, which an
attacker may for example achieve via ClickJacking.
Proof of Concept
http://localhost/ecommerce/CubeCart-6.0.6/search.html?search[keywords]=" onmouseover="alert('xsstest')" foo="&_a=category
3. Persistent XSS
Description
The page to edit user-submitted reviews echoes user input inside HTML input
tags without encoding quotes, which makes it possible to break out of the
context of the current attribute and add new attributes.
An attacker can use attributes such as onfocus to execute JavaScript. In
combination with autofocus, a victim does not need to actually interact with
the input field for the code to execute.
Proof of Concept
1. Write a review here: http://localhost/ecommerce/CubeCart-6.0.6/
test-category/test-product.html#reviews_write
2. use as name or title: " autofocus onfocus="alert(1)" foo="
3. Visit the review-edit site: http://localhost/ecommerce/CubeCart-6.0.6/
admin.php?_g=products&node=reviews&edit=REVIEWID
4. Solution
To mitigate this issue please upgrade at least to version 6.0.8:
https://www.cubecart.com/thank-you/CubeCart-6.0.8.zip
Please note that a newer version might already be available.
5. Report Timeline
09/07/2015 Informed Vendor about Issue
10/05/2015 Vendor releases fix
10/07/2015 Disclosed to public
Blog Reference:
http://blog.curesec.com/article/blog/CubeCart-607-XSS-71.html
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists