Page 1 of 2 12 LastLast
Results 1 to 10 of 20
  1. #1
    Join Date
    Jun 2006
    Posts
    21
    Plugin Contributions
    0

    Default [FIX] v1.3.5 XSS Exploits Found

    Not sure if you guys saw this one yet already, just wanted to give you a heads up.

    ---------------------
    Armorize Technologies Security Advisory

    Advisory No:
    Armorize-ADV-2006-0003

    Date:
    2006/9/27

    Summary:
    Armorize-ADV-2006-0003 discloses multiple cross-site scripting vulnerabilities that are found in Zen Cart, which is a PHP e-commerce shopping program and is Built on a foundation of OScommerce GPL code. It provides an easy-to-setup and run online store.

    Affected Software:
    Zen Cart 1.3.5

    Vulnerability Description:
    Cross-Site Scripting

    Analysis/Impact:
    Privacy leakages from the client-side may lead to session hijacking, identity theft and information theft.

    Detection/Exploit(partial):
    http://www.example.com/[PATH]/login.php
    http://www.example.com/[PATH]/password_forgotten.php

    Protection/Solution:
    1. Escape every questionable URI and HTML script.
    2. Remove prohibited user input.

    Credit: Security Team at Armorize Technologies, Inc. (security@armorize.com)

    Additional Information:
    Link to this Armorize advisory
    http://www.armorize.com/advisory.php?Keyword=Armorize-ADV-2006-0002

    Links to all Armorize advisories
    http://www.armorize.com/advisory/

    Links to Armorize vulnerability database
    http://www.armorize.com/resources/vulnerability.php

    ***advertising removed***
    Last edited by Kim; 29 Sep 2006 at 12:39 AM.

  2. #2
    Join Date
    Jun 2003
    Location
    Newcastle UK
    Posts
    2,877
    Blog Entries
    2
    Plugin Contributions
    2

    Default Re: v1.3.5 XSS Exploits Found

    I have been unable to reproduce any XSS exploit on the 2 pages mentioined.

    I have also emailed the website responsible for the report, asking for more details of their advisory

    If anyone in the community can reproduce an XSS exploit on these 2 pages (and of course on any other ZC page :) ) I would love to hear from you,

    Thanks BTW for the report, Although as a team we do subscribe to a number o f security alert email lists, its not possible to cover them all. We appreciate community members helping out wherever they can.

  3. #3
    Join Date
    Jun 2006
    Posts
    21
    Plugin Contributions
    0

    Default Re: v1.3.5 XSS Exploits Found

    Sure no problem, I got this one from bugtraq@securityfocus.com mailing list.

  4. #4
    Join Date
    Jun 2003
    Location
    Newcastle UK
    Posts
    2,877
    Blog Entries
    2
    Plugin Contributions
    2

    Default Re: v1.3.5 XSS Exploits Found

    The original report was a little confusing as it seemed to suggest that the problem was with login/password forgotten code on the catalog side of Zen Cart.

    I would like to thank Armorize Technologies for responding very swiftly to my emails.

    The problem it seems lies in the admin code, not catalog and the 2 files they mention are

    /admin/login.php
    /admin/password_forgotten.php

    taking each in turn:

    admin/login.php line 57
    Code:
    <input style="float: left" type="text" id="admin_name" name="admin_name" value="<?php echo $_POST['admin_name']; ?>" />
    should be changed to
    Code:
    <input style="float: left" type="text" id="admin_name" name="admin_name" value="<?php echo zen_output_string($admin_name); ?>" />
    and on line 60
    Code:
    <input style="float: left" type="password" id="admin_pass" name="admin_pass" value="<?php echo $_POST['admin_pass']; ?>" />
    should be changed to
    Code:
    <input style="float: left" type="password" id="admin_pass" name="admin_pass" value="<?php echo zen_output_string($admin_pass); ?>" />

    and admin/password_forgotten.php line 84
    Code:
    <label for="admin_email"><?php echo TEXT_ADMIN_EMAIL; ?><input type="text" id="admin_email" name="admin_email" value="<?php echo $_POST['admin_email']; ?>" /></label>
    changed to
    Code:
    <label for="admin_email"><?php echo TEXT_ADMIN_EMAIL; ?><input type="text" id="admin_email" name="admin_email" value="<?php echo zen_output_string($admin_email); ?>" /></label>
    We are currently preparing a patch for 1.3.5 to address this issue,

  5. #5
    Join Date
    Jun 2006
    Posts
    18
    Plugin Contributions
    0

    Default Is it wise to wait until a replacement for 1.3.5

    is ready before I do a fresh install for my site?

    Right now I only take cash payments.

    Henry

  6. #6
    Join Date
    Jan 2004
    Posts
    64,973
    Blog Entries
    7
    Plugin Contributions
    76

    Default Re: [FIX] v1.3.5 XSS Exploits Found

    Zen Cart v1.3.5 XSS PATCH Released Oct 1, 2006
    =================================================
    To combat a reported XSS exploit vulnerability in Zen Cart, simply copy the
    enclosed /admin files for login.php and password_forgotten.php to your
    admin folder.

    Remember, if you have renamed your admin folder, you will have to use *that*
    folder name when copying/uploading.


    File can be downloaded here:
    http://sourceforge.net/project/showf...ease_id=444622


    These fixes are NOT included in the main "full-fileset" zip.
    Please apply these fixes AFTER unzipping the main full-fileset zip contents.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

  7. #7
    Join Date
    Aug 2005
    Posts
    202
    Plugin Contributions
    0

    Default Re: [FIX] v1.3.5 XSS Exploits Found

    Is it only 1.3.5 vulnerable ?

  8. #8
    Join Date
    Sep 2006
    Posts
    3
    Plugin Contributions
    0

    Default Re: [FIX] v1.3.5 XSS Exploits Found

    The strings are the same in 1.3.2. So I would say it was vulnerable.
    I just edited the two files, uploaded them and logged back in.
    User input is always a problem. We need this option.

  9. #9
    Join Date
    Sep 2004
    Location
    MONTANA!!!
    Posts
    105
    Plugin Contributions
    0

    Default Re: [FIX] v1.3.5 XSS Exploits Found

    And I have just looked at a v. 1.3.0.2

    It is also affected. I would probably bet that the problem exists in all the versions.

    Good job, Gents and Ladies. Thanks for being on top of these changes.

  10. #10
    Join Date
    Sep 2006
    Posts
    29
    Plugin Contributions
    0

    Default Re: [FIX] v1.3.5 XSS Exploits Found

    Is there any mail list we can subscribe to for these updates? Checking the forum on a regular basis seems to be somewhat hit & miss.

 

 
Page 1 of 2 12 LastLast

Similar Threads

  1. Replies: 1
    Last Post: 2 Dec 2015, 07:31 PM
  2. xss fix vs google checkout - how do I do this?
    By fats1964 in forum General Questions
    Replies: 0
    Last Post: 5 Jul 2007, 05:04 PM
  3. Zero-Day XSS Security Fix
    By athena in forum General Questions
    Replies: 2
    Last Post: 12 Oct 2006, 08:17 PM
  4. Zero-Day XSS Security Fix (applies to all versions)
    By wilt in forum Zen Cart Release Announcements
    Replies: 1
    Last Post: 6 Oct 2006, 11:38 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg
Zen-Cart, Internet Selling Services, Klamath Falls, OR