|
COMMAND CaupoShop cross site scripting, leads to local mysql database access SYSTEMS AFFECTED CaupoShop 1.30a and maybe all versions before (as well as CaupoShopPro) PROBLEM In ppp-design [http://www.ppp-design.de] advisory : http://www.ppp-design.de/advisories_show.php?adv=cauposhop__cross-site-scripting_bug.txt Two proof of concepts : --snip-- The first will change an existing user record to a new emailaddress (which is used as the login name) and a new password, so it is possible for the blackhat to log in as this user and see the shipping details the user has entered before, which can include valid creditcard numbers. When registering as a new user, enter the following in the message field, wich is the largest field (indeed you can use any of the fields) (one line): <script>document.location.href=\"http://example.com/caupo/admin/ admin_workspace.php?id=X&svTable=csc_customer&bEdit=1&bNew=1 &saField[password]=newpass&saField[email]=blackhat@example.com& btnEdit=1\"</script> You have to substitute the X with a valid id of an user. This is really easy to guess, because this id is a normal integer counting up from 1, so you can just choose any number between 1 and the number of guessed customers the shop has. The second proof of concept is deleting an existing article and works really the same way. You can easy get the article id out of the shop\'s html code, in this example we will use the article id 1. Again registering a new user and this times using the follwing in the message field (one line): <script>document.location.href=\"http://example.com/caupo/admin/ admin_workspace.php?id=1&svTable=csc_article&svDel=YES&btnEdit=1</script> This will delete the article with id 1 next time the admin takes a look at his customer listing. Of course these two examples are easy to get aware of by an admin, because when taking a look at his customer listing, he ends up in an infinite loop (proof-of-concept 1), or he gets a listing of his articles instead of his customers. So he will realize really fast something strange is happening. But together with some more scripting, you can hide from his eyes for a longer time. --snap-- SOLUTION Use at least CaupoShop v1.30 rc4 (2002-03-09).