CubeCart 6.0.7: XSS

CubeCart 6.0.7: XSS

Date: 2015-10-07 16:02:37
Security Advisory – Curesec Research Team

1. Introduction

Affected Product: CubeCart 6.0.7
Fixed in: 6.0.8
Fixed Version Link: https://www.cubecart.com/thank-you/CubeCart-6.0.8.zip
Vendor Contact: sales@cubecart.com
Vulnerability Type: XSS
Remote Exploitable: Yes
Reported to vendor: 09/07/2015
Disclosed to public: 10/07/2015
Release mode: Coordinated release
CVE: n/a
Credits Tim Coen of curesec GmbH

2. Reflected XSS

Description

The search echoes a keyword it retrieves via GET inside HTML tags. It removes HTML tags from the keyword, but it does not encode quotes, which makes it possible to break out of the context of the current attribute and add new attributes. An attacker can use attributes such as onmouseover to execute JavaScript.

To execute the code, the victim needs to hover over the title image, which an attacker may for example achieve via ClickJacking.

Proof of Concept

http://localhost/ecommerce/CubeCart-6.0.6/search.html?search[keywords]=" onmouseover="alert('xsstest')" foo="&_a=category

3. Persistent XSS

Description

The page to edit user-submitted reviews echoes user input inside HTML input tags without encoding quotes, which makes it possible to break out of the context of the current attribute and add new attributes.

An attacker can use attributes such as onfocus to execute JavaScript. In combination with autofocus, a victim does not need to actually interact with the input field for the code to execute.

Proof of Concept

  1. Write a review here: http://localhost/ecommerce/CubeCart-6.0.6/test-category/test-product.html#reviews_write
  2. use as name or title: " autofocus onfocus="alert(1)" foo="
  3. Visit the review-edit site: http://localhost/ecommerce/CubeCart-6.0.6/admin.php?_g=products&node=reviews&edit=REVIEWID

4. Solution

To mitigate this issue please upgrade at least to version 6.0.8:

https://www.cubecart.com/thank-you/CubeCart-6.0.8.zip

Please note that a newer version might already be available.

5. Report Timeline

09/07/2015 Informed Vendor about Issue
10/05/2015 Vendor releases fix
10/07/2015 Disclosed to public