CubeCart 6.0.7: XSS
Date: 2015-10-07 16:02:371. Introduction
| Affected Product: | CubeCart 6.0.7 |
| Fixed in: | 6.0.8 |
| Fixed Version Link: | https://www.cubecart.com/thank-you/CubeCart-6.0.8.zip |
| Vendor Contact: | sales@cubecart.com |
| Vulnerability Type: | XSS |
| Remote Exploitable: | Yes |
| Reported to vendor: | 09/07/2015 |
| Disclosed to public: | 10/07/2015 |
| Release mode: | Coordinated release |
| CVE: | n/a |
| Credits | Tim Coen of Curesec GmbH |
2. Reflected XSS
Description
The search echoes a keyword it retrieves via GET inside HTML tags. It removes HTML tags from the keyword, but it does not encode quotes, which makes it possible to break out of the context of the current attribute and add new attributes. An attacker can use attributes such as onmouseover to execute JavaScript.
To execute the code, the victim needs to hover over the title image, which an attacker may for example achieve via ClickJacking.
Proof of Concept
3. Persistent XSS
Description
The page to edit user-submitted reviews echoes user input inside HTML input tags without encoding quotes, which makes it possible to break out of the context of the current attribute and add new attributes.
An attacker can use attributes such as onfocus to execute JavaScript. In combination with autofocus, a victim does not need to actually interact with the input field for the code to execute.
Proof of Concept
- Write a review here: http://localhost/ecommerce/CubeCart-6.0.6/test-category/test-product.html#reviews_write
- use as name or title: " autofocus onfocus="alert(1)" foo="
- Visit the review-edit site: http://localhost/ecommerce/CubeCart-6.0.6/admin.php?_g=products&node=reviews&edit=REVIEWID
4. Solution
To mitigate this issue please upgrade at least to version 6.0.8:
https://www.cubecart.com/thank-you/CubeCart-6.0.8.zip
Please note that a newer version might already be available.
5. Report Timeline
| 09/07/2015 | Informed Vendor about Issue |
| 10/05/2015 | Vendor releases fix |
| 10/07/2015 | Disclosed to public |