Vulnerabilities Disclosure

XSS Vulnerability in Zen Cart

Dognædis Ref.: DGS-SEC-9

CVE Ref: CVE-2011-4547

Release Date: 2011/11/22

Discover Credits: CodeV - Code Analyzer

Bulletin Author(s): FRente

Contact: irt@dognaedis.com

Type: Cross Site Scripting

Level: Low (Low/High/Critical)

CVSS: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)

Vulnerable Application: Zen Cart (ver. 1.3.9h)

Overview:
Zen Cart is an online store management system. It is PHP-based, using a MySQL database and HTML components. Support is provided for numerous languages and currencies, and it is freely available under the GNU General Public License.

Scope:

File: /includes/templates/template_default/common/tpl_header_test_info.php Vulnerable Argument(s): $_GET['main_page'], $_GET['PHP_SELF']

Code:
line 68: $result = @move_uploaded_file($_FILES['image_file']['tmp_name'], $newimage);

Proof(s) of Concept:
ine 72: echo '<br /><strong>TESTING INFO:</strong> Time page: <strong>' . $_GET['main_page'] . '</strong> was loaded is: <strong>' . date('H:i:s', time()) . '</strong><br /><br />';
...
line 75: echo "GLOBALS[$main_page] and HTTP_GET_VARS['main_page'] and _GET['main_page'] = " . $GLOBALS['main_page'] . ' - ' . $HTTP_GET_VARS['main_page'] . ' - ' . $_GET['main_page'] . '<br /><br />';
...
line 76: echo "_SERVER['PHP_SELF'] and _GET['PHP_SELF'] and PHP_SELF and _SESSION['PHP_SELF'] = " . $_SERVER['PHP_SELF'] . ' - ' . $_GET['PHP_SELF'] . ' - ' . $PHP_SELF . ' - ' . $_SESSION['PHP_SELF'] . '<br /><br />';

Description:
The referred vulnerability could be exploited through a XSS (Cross-Site-Scripting) attack.
Ultimately, the attacker could take complete control of the victims web-browser.
In a successful attack, the malicious script would be executed with the authenticated user permissions.
The entry point couldn't be found as "This file is used as an alternate "header" which can be used to display debug information while doing system testing", as described on the file header comments.

Impact:
Generally, by exploiting this kind of vulnerability, it might be possible to achieve possible attack vectors to various kinds of attacks such as:
- Session/Cookie theft
- Account Hijacking
- Identity theft
- Accessing confidential resources
- Accessing pay content
- Account Denial of service

Resolution:
Aiming a correct resolution of the identified vulnerability, the data obtained through the $_GET['main_page'] and $_GET['PHP_SELF'] input arguments should be properly sanitized for HTML and following ECMAS usage.

Official Solution:
There will be no correction to this vulnerability because, according to the developer, this file is meant for debugging purposes only and is not 'linked' to in production code, and has in fact been removed from subsequent versions.

External References:
http://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
http://en.wikipedia.org/wiki/Cross-site_scripting
http://en.wikipedia.org/wiki/Code_injection

Download the Vulnerability Report (PDF)

© Copyright 2015 CodeV