[FIX] v1.3.5 XSS Exploits Found
Not sure if you guys saw this one yet already, just wanted to give you a heads up.
---------------------
Armorize Technologies Security Advisory
Advisory No:
Armorize-ADV-2006-0003
Date:
2006/9/27
Summary:
Armorize-ADV-2006-0003 discloses multiple cross-site scripting vulnerabilities that are found in Zen Cart, which is a PHP e-commerce shopping program and is Built on a foundation of OScommerce GPL code. It provides an easy-to-setup and run online store.
Affected Software:
Zen Cart 1.3.5
Vulnerability Description:
Cross-Site Scripting
Analysis/Impact:
Privacy leakages from the client-side may lead to session hijacking, identity theft and information theft.
Detection/Exploit(partial):
http://www.example.com/[PATH]/login.php
http://www.example.com/[PATH]/password_forgotten.php
Protection/Solution:
1. Escape every questionable URI and HTML script.
2. Remove prohibited user input.
Credit: Security Team at Armorize Technologies, Inc. ([email protected])
Additional Information:
Link to this Armorize advisory
http://www.armorize.com/advisory.php?Keyword=Armorize-ADV-2006-0002
Links to all Armorize advisories
http://www.armorize.com/advisory/
Links to Armorize vulnerability database
http://www.armorize.com/resources/vulnerability.php
***advertising removed***
Re: v1.3.5 XSS Exploits Found
I have been unable to reproduce any XSS exploit on the 2 pages mentioined.
I have also emailed the website responsible for the report, asking for more details of their advisory
If anyone in the community can reproduce an XSS exploit on these 2 pages (and of course on any other ZC page :) ) I would love to hear from you,
Thanks BTW for the report, Although as a team we do subscribe to a number o f security alert email lists, its not possible to cover them all. We appreciate community members helping out wherever they can.
Re: v1.3.5 XSS Exploits Found
Sure no problem, I got this one from [email protected] mailing list.
Re: v1.3.5 XSS Exploits Found
The original report was a little confusing as it seemed to suggest that the problem was with login/password forgotten code on the catalog side of Zen Cart.
I would like to thank Armorize Technologies for responding very swiftly to my emails.
The problem it seems lies in the admin code, not catalog and the 2 files they mention are
/admin/login.php
/admin/password_forgotten.php
taking each in turn:
admin/login.php line 57
Code:
<input style="float: left" type="text" id="admin_name" name="admin_name" value="<?php echo $_POST['admin_name']; ?>" />
should be changed to
Code:
<input style="float: left" type="text" id="admin_name" name="admin_name" value="<?php echo zen_output_string($admin_name); ?>" />
and on line 60
Code:
<input style="float: left" type="password" id="admin_pass" name="admin_pass" value="<?php echo $_POST['admin_pass']; ?>" />
should be changed to
Code:
<input style="float: left" type="password" id="admin_pass" name="admin_pass" value="<?php echo zen_output_string($admin_pass); ?>" />
and admin/password_forgotten.php line 84
Code:
<label for="admin_email"><?php echo TEXT_ADMIN_EMAIL; ?><input type="text" id="admin_email" name="admin_email" value="<?php echo $_POST['admin_email']; ?>" /></label>
changed to
Code:
<label for="admin_email"><?php echo TEXT_ADMIN_EMAIL; ?><input type="text" id="admin_email" name="admin_email" value="<?php echo zen_output_string($admin_email); ?>" /></label>
We are currently preparing a patch for 1.3.5 to address this issue,
Is it wise to wait until a replacement for 1.3.5
is ready before I do a fresh install for my site?
Right now I only take cash payments.
Henry
Re: [FIX] v1.3.5 XSS Exploits Found
Zen Cart v1.3.5 XSS PATCH Released Oct 1, 2006
=================================================
To combat a reported XSS exploit vulnerability in Zen Cart, simply copy the
enclosed /admin files for login.php and password_forgotten.php to your
admin folder.
Remember, if you have renamed your admin folder, you will have to use *that*
folder name when copying/uploading.
File can be downloaded here:
http://sourceforge.net/project/showf...ease_id=444622
These fixes are NOT included in the main "full-fileset" zip.
Please apply these fixes AFTER unzipping the main full-fileset zip contents.
Re: [FIX] v1.3.5 XSS Exploits Found
Is it only 1.3.5 vulnerable ?
Re: [FIX] v1.3.5 XSS Exploits Found
The strings are the same in 1.3.2. So I would say it was vulnerable.
I just edited the two files, uploaded them and logged back in.
User input is always a problem. We need this option.:lamo:
Re: [FIX] v1.3.5 XSS Exploits Found
And I have just looked at a v. 1.3.0.2
It is also affected. I would probably bet that the problem exists in all the versions.
Good job, Gents and Ladies. Thanks for being on top of these changes.
Re: [FIX] v1.3.5 XSS Exploits Found
Is there any mail list we can subscribe to for these updates? Checking the forum on a regular basis seems to be somewhat hit & miss.