| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <0MTgjg-1ZoZiI0aJs-00QVhY@mrelayeu.kundenserver.de>
Date: Fri, 13 Nov 2015 17:07:01 +0100
From: "Curesec Research Team (CRT)" <crt@...esec.com>
To: fulldisclosure@...lists.org
Subject: [FD] LiteCart 1.3.2: Multiple XSS
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: LiteCart 1.3.2
Fixed in: 1.3.3
Fixed Version Link: https://www.litecart.net/downloading?version=1.3.3.1
Vendor Contact: development@...ecart.net
Vulnerability Type: XSS
Remote Exploitable: Yes
Reported to vendor: 09/07/2015
Disclosed to public: 11/13/2015
Release mode: Coordinated release
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. XSS 1
Description
The query parameter of the search is vulnerable to XSS.
Proof of Concept
http://localhost/ecommerce/litecart-1.3.2/public_html/en/search?query="></title><script>alert(1)</script>
Code
public_html/pages/search.inc.php
document::$snippets['title'][] = empty($_GET['query']) ? language::translate('title_search_results', 'Search Results') : sprintf(language::translate('title_search_results_for_s', 'Search Results for "%s"'), $_GET['query']);
3. XSS 2
Description
The value of the GET parameter slide_id is passed to trigger_error if it is an
invalid id. trigger_error does not encode input, and as LiteCart shows errors
by default, this leads to an XSS vulnerability.
Proof of Concept
http://localhost/ecommerce/litecart-1.3.2/public_html/admin/?app=slides&doc=edit_slide&page=1&slide_id=<script>alert(1)</script>
Code
includes/controllers/ctrl_slide.inc.php
if (empty($this->data)) trigger_error('Could not find slide ('. $slide_id .') in database.', E_USER_ERROR);
4. XSS 3
Description
The value of the GET parameter doc is passed to trigger_error if it is invalid.
trigger_error does not encode input, and as LiteCart shows errors by default,
this leads to an XSS vulnerability. Additionally, the accessing of non-existing
array values leads to a notice, which contains the index unsanitized. Because
of this, $app_config['docs'][$_GET['doc']] can also lead to XSS.
Proof of Concept
http://localhost/ecommerce/litecart-1.3.2/public_html/admin/?app=appearance&doc=<script>alert(1)</script>
Code
admin/index.php
if (!empty($_GET['doc'])) {
if (empty($app_config['docs'][$_GET['doc']]) || !file_exists(FS_DIR_HTTP_ROOT . WS_DIR_ADMIN . $_GET['app'].'.app/' . $app_config['docs'][$_GET['doc']])) trigger_error($_GET['app'] .'.app/'. $_GET['doc'] . ' is not a valid admin document', E_USER_ERROR);
include vmod::check(FS_DIR_HTTP_ROOT . WS_DIR_ADMIN . $_GET['app'].'.app/' . $app_config['docs'][$_GET['doc']]);
} else {
include vmod::check(FS_DIR_HTTP_ROOT . WS_DIR_ADMIN . $_GET['app'].'.app/' . $app_config['docs'][$app_config['default']]);
}
5. Solution
To mitigate this issue please upgrade at least to version 1.3.3:
https://www.litecart.net/downloading?version=1.3.3.1
Please note that a newer version might already be available.
6. Report Timeline
09/07/2015 Informed Vendor about Issue
10/05/2015 Vendor releases fix
11/13/2015 Disclosed to public
Blog Reference:
http://blog.curesec.com/article/blog/LiteCart-132-Multiple-XSS-72.html
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists