lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <0MTgjg-1ZoZiI0aJs-00QVhY@mrelayeu.kundenserver.de>
Date: Fri, 13 Nov 2015 17:07:01 +0100
From: "Curesec Research Team (CRT)" <crt@...esec.com>
To: fulldisclosure@...lists.org
Subject: [FD] LiteCart 1.3.2: Multiple XSS

Security Advisory - Curesec Research Team

1. Introduction

Affected Product:    LiteCart 1.3.2
Fixed in:            1.3.3
Fixed Version Link:  https://www.litecart.net/downloading?version=1.3.3.1
Vendor Contact:      development@...ecart.net
Vulnerability Type:  XSS
Remote Exploitable:  Yes
Reported to vendor:  09/07/2015
Disclosed to public: 11/13/2015
Release mode:        Coordinated release
CVE:                 n/a
Credits              Tim Coen of Curesec GmbH

2. XSS 1

Description

The query parameter of the search is vulnerable to XSS.

Proof of Concept


http://localhost/ecommerce/litecart-1.3.2/public_html/en/search?query="></title><script>alert(1)</script>

Code


        public_html/pages/search.inc.php
            document::$snippets['title'][] = empty($_GET['query']) ? language::translate('title_search_results', 'Search Results') : sprintf(language::translate('title_search_results_for_s', 'Search Results for "%s"'), $_GET['query']);

3. XSS 2

Description

The value of the GET parameter slide_id is passed to trigger_error if it is an
invalid id. trigger_error does not encode input, and as LiteCart shows errors
by default, this leads to an XSS vulnerability.

Proof of Concept


http://localhost/ecommerce/litecart-1.3.2/public_html/admin/?app=slides&doc=edit_slide&page=1&slide_id=<script>alert(1)</script>

Code


        includes/controllers/ctrl_slide.inc.php
            if (empty($this->data)) trigger_error('Could not find slide ('. $slide_id .') in database.', E_USER_ERROR);

4. XSS 3

Description

The value of the GET parameter doc is passed to trigger_error if it is invalid.
trigger_error does not encode input, and as LiteCart shows errors by default,
this leads to an XSS vulnerability. Additionally, the accessing of non-existing
array values leads to a notice, which contains the index unsanitized. Because
of this, $app_config['docs'][$_GET['doc']] can also lead to XSS.

Proof of Concept


http://localhost/ecommerce/litecart-1.3.2/public_html/admin/?app=appearance&doc=<script>alert(1)</script>

Code


        admin/index.php
            if (!empty($_GET['doc'])) {
              if (empty($app_config['docs'][$_GET['doc']]) || !file_exists(FS_DIR_HTTP_ROOT . WS_DIR_ADMIN . $_GET['app'].'.app/' . $app_config['docs'][$_GET['doc']])) trigger_error($_GET['app'] .'.app/'. $_GET['doc'] . ' is not a valid admin document', E_USER_ERROR);
              include vmod::check(FS_DIR_HTTP_ROOT . WS_DIR_ADMIN . $_GET['app'].'.app/' . $app_config['docs'][$_GET['doc']]);
            } else {
              include vmod::check(FS_DIR_HTTP_ROOT . WS_DIR_ADMIN . $_GET['app'].'.app/' . $app_config['docs'][$app_config['default']]);
            }

5. Solution

To mitigate this issue please upgrade at least to version 1.3.3:

https://www.litecart.net/downloading?version=1.3.3.1

Please note that a newer version might already be available.

6. Report Timeline

09/07/2015 Informed Vendor about Issue
10/05/2015 Vendor releases fix
11/13/2015 Disclosed to public


Blog Reference:
http://blog.curesec.com/article/blog/LiteCart-132-Multiple-XSS-72.html

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists