TUCoPS :: Web :: e-commerce, shopping carts :: web5182.htm

CaupoShop cross site scripting, leads to local mysql database access
12th Mar 2002 [SBWID-5182]
COMMAND

	CaupoShop cross site scripting, leads to local mysql database access

SYSTEMS AFFECTED

	CaupoShop 1.30a and maybe all versions before (as well as CaupoShopPro)

PROBLEM

	In ppp-design [http://www.ppp-design.de] advisory :
	

	http://www.ppp-design.de/advisories_show.php?adv=cauposhop__cross-site-scripting_bug.txt

	

	Two proof of concepts :
	

	--snip--
	

	The first will change an existing user  record  to  a  new  emailaddress
	(which is used as the login name) and a new password, so it is  possible
	for the blackhat to log in as this user and  see  the  shipping  details
	the  user  has  entered  before,  which  can  include  valid  creditcard
	numbers.
	

	When registering as a new user,  enter  the  following  in  the  message
	field, wich is the largest field (indeed you can use any of the  fields)
	(one line):
	

	<script>document.location.href=\"http://example.com/caupo/admin/

	admin_workspace.php?id=X&svTable=csc_customer&bEdit=1&bNew=1

	&saField[password]=newpass&saField[email]=blackhat@example.com&

	btnEdit=1\"</script>

	

	You have to substitute the X with a valid id of an user. This is  really
	easy to guess, because this id is a normal integer counting up  from  1,
	so you can just choose any number between 1 and the  number  of  guessed
	customers the shop has.
	

	

	The second proof of concept is deleting an existing  article  and  works
	really the same way. You can easy get the article id out of the  shop\'s
	html code, in this example we will use the article id 1.
	

	Again registering a new user and this times using the  follwing  in  the
	message field (one line):
	

	<script>document.location.href=\"http://example.com/caupo/admin/

	admin_workspace.php?id=1&svTable=csc_article&svDel=YES&btnEdit=1</script>

	

	This will delete the article with id 1 next time the admin takes a  look
	at his customer listing.
	

	

	Of course these two examples are easy to  get  aware  of  by  an  admin,
	because when taking a look at his customer listing, he  ends  up  in  an
	infinite loop  (proof-of-concept  1),  or  he  gets  a  listing  of  his
	articles instead of his  customers.  So  he  will  realize  really  fast
	something strange is happening. But together with some  more  scripting,
	you can hide from his eyes for a longer time.
	

	--snap--

SOLUTION

	Use at least CaupoShop v1.30 rc4 (2002-03-09).

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH