[FIX] v1.3.5 XSS Exploits Found

[catv]

Not sure if you guys saw this one yet already, just wanted to give you a heads up.

---------------------
Armorize Technologies Security Advisory

Advisory No:
Armorize-ADV-2006-0003

Date:
2006/9/27

Summary:
Armorize-ADV-2006-0003 discloses multiple cross-site scripting vulnerabilities that are found in Zen Cart, which is a PHP e-commerce shopping program and is Built on a foundation of OScommerce GPL code. It provides an easy-to-setup and run online store.

Affected Software:
Zen Cart 1.3.5

Vulnerability Description:
Cross-Site Scripting

Analysis/Impact:
Privacy leakages from the client-side may lead to session hijacking, identity theft and information theft.

Detection/Exploit(partial):
http://www.example.com/[PATH]/login.php
http://www.example.com/[PATH]/password_forgotten.php

Protection/Solution:
1. Escape every questionable URI and HTML script.
2. Remove prohibited user input.

Credit: Security Team at Armorize Technologies, Inc. ([email protected])

Additional Information:
Link to this Armorize advisory
http://www.armorize.com/advisory.php?Keyword=Armorize-ADV-2006-0002

Links to all Armorize advisories
http://www.armorize.com/advisory/

Links to Armorize vulnerability database
http://www.armorize.com/resources/vulnerability.php

***advertising removed***

[wilt]

I have been unable to reproduce any XSS exploit on the 2 pages mentioined.

I have also emailed the website responsible for the report, asking for more details of their advisory

If anyone in the community can reproduce an XSS exploit on these 2 pages (and of course on any other ZC page :) ) I would love to hear from you,

Thanks BTW for the report, Although as a team we do subscribe to a number o f security alert email lists, its not possible to cover them all. We appreciate community members helping out wherever they can.

[catv]

Sure no problem, I got this one from [email protected] mailing list.

[wilt]

The original report was a little confusing as it seemed to suggest that the problem was with login/password forgotten code on the catalog side of Zen Cart.

I would like to thank Armorize Technologies for responding very swiftly to my emails.

The problem it seems lies in the admin code, not catalog and the 2 files they mention are

/admin/login.php
/admin/password_forgotten.php

taking each in turn:

admin/login.php line 57

Code:

<input style="float: left" type="text" id="admin_name" name="admin_name" value="<?php echo $_POST['admin_name']; ?>" />

should be changed to

Code:

<input style="float: left" type="text" id="admin_name" name="admin_name" value="<?php echo zen_output_string($admin_name); ?>" />

and on line 60

Code:

<input style="float: left" type="password" id="admin_pass" name="admin_pass" value="<?php echo $_POST['admin_pass']; ?>" />

should be changed to

Code:

<input style="float: left" type="password" id="admin_pass" name="admin_pass" value="<?php echo zen_output_string($admin_pass); ?>" />

and admin/password_forgotten.php line 84

Code:

<label for="admin_email"><?php echo TEXT_ADMIN_EMAIL; ?><input type="text" id="admin_email" name="admin_email" value="<?php echo $_POST['admin_email']; ?>" /></label>

changed to

Code:

<label for="admin_email"><?php echo TEXT_ADMIN_EMAIL; ?><input type="text" id="admin_email" name="admin_email" value="<?php echo zen_output_string($admin_email); ?>" /></label>

We are currently preparing a patch for 1.3.5 to address this issue,

[henrygoh]

is ready before I do a fresh install for my site?

Right now I only take cash payments.

Henry

[DrByte]

Zen Cart v1.3.5 XSS PATCH Released Oct 1, 2006
=================================================
To combat a reported XSS exploit vulnerability in Zen Cart, simply copy the
enclosed /admin files for login.php and password_forgotten.php to your
admin folder.

Remember, if you have renamed your admin folder, you will have to use *that*
folder name when copying/uploading.

File can be downloaded here:
http://sourceforge.net/project/showf...ease_id=444622


These fixes are NOT included in the main "full-fileset" zip.
Please apply these fixes AFTER unzipping the main full-fileset zip contents.

[Zapisto]

Is it only 1.3.5 vulnerable ?

[wmmr]

The strings are the same in 1.3.2. So I would say it was vulnerable.
I just edited the two files, uploaded them and logged back in.
User input is always a problem. We need this option.

[fourbit]

And I have just looked at a v. 1.3.0.2

It is also affected. I would probably bet that the problem exists in all the versions.

Good job, Gents and Ladies. Thanks for being on top of these changes.

[IHaveADotCom]

Is there any mail list we can subscribe to for these updates? Checking the forum on a regular basis seems to be somewhat hit & miss.