lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 15 Aug 2016 11:23:29 +0300
From: tal argoni <talargoni@...il.com>
To: bugtraq@...urityfocus.com
Subject: Reflected Cross Site Scripting (XSS) Vulnerability in nopcommerce 3.70

Security Advisory
CVE-ID: N/A
Topic:         Reflected Cross Site Scripting (XSS) Vulnerability in
"successful registration" page
Class:          Input Validation
Severity:       Medium
Discovery:      2016-04-28
Vendor Notification:        2016-04-28
Vendor response:        2016-05-30
Vendor Patch: 2016-05-31
Public Announced: 2016-08-15
Credits:        Tal Argoni, CEH from Triad Security [http://www.triadsec.com/]
Affects:        nopCommerce, open-source & free e-commerce solution 3.70
Resolved:       Version 3.8

I. Background
nopCommerce is open-source e-commerce shopping cart web application
written in MVC.NET. After
anonymous user successfully registered the application, the
application return the user a successful
registration page with "continue to the shop" button. The
redirection's parameter (returnurl) value is
supplied by the user and echo without output validation to the browser.

II. Problem Description
Reflected cross-site scripting vulnerabilities arise when data is
copied from a request and echoed into
the application's immediate response in an unsafe way. The injected
code is not stored within the
application itself; it is only impacts users who open a maliciously
crafted link or third-party web page.
The attack string is included as part of the crafted URI or HTTP
parameters, improperly processed by the
application, and returned to the victim.
Exploit code/POC:
http://VulnopCommerce/registerresult/1?returnurl=%2fcustomer%2finfo'%3balert("hacked+by+triad+s
ecurity")%3b%2f%2f

III. Impact
The attacker-supplied code can perform a wide variety of actions, such
as stealing the victim's session
token or login credentials, performing arbitrary actions on the
victim's behalf, and logging their
keystrokes.
IV. Workaround
You can work around this problem by doing the following:
1. It is recommended to use HTML-encoded at any point where it is
copied into application
responses.

V. Solution
Download vendor patch from http://www.nopcommerce.com .
Update to version 3.8

VI. References
http://www.triadsec.com/
https://www.linkedin.com/in/talargoni
https://github.com/nopSolutions/nopCommerce/commit/364091c16bae533a6c00c0f3bd920ed15da25f
77
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

Powered by blists - more mailing lists