COMMAND

	Agoracgi Cross Site Scripting Vulnerability

SYSTEMS AFFECTED

	Agoracgi v3.3e

PROBLEM

	Tamer Sahin [http://www.securityoffice.net] posted :
	

	Cross Site Scripting, most dynamic  websites  are  still  not  filtering
	user input. This lets remote sites access towrite scripts on  vulnerable
	sites & application, stealing cookies, performing actions on  behalf
	of user or modifying look of content on site.
	

	Sample exploit :
	

	

	http://www.agoracgi.com/store/agora.cgi?cart_id=<IMG%20height=47%20src

	=\"http://www.securityoffice.net/images/title.gif\"%20width=406%20border

	=0>&xm=on&product=HTML

	

	http://www.agoracgi.com/store/agora.cgi?cart_id=<script>alert(document

	.cookie)</script>&xm=on&product=HTML

	

SOLUTION

	Steve Kneizys replied :
	

	The cart_id is a highly filtered variable, and has been from  the  start
	of this shopping cart. Some folks were concerned about  the  Cross  Site
	Scripting Vulnerability (CSS) that have been talked about so often  over
	the last year or so and how it  related  to  agora.cgi.  That,  combined
	with the desire to track errors in coding  of  web  pages  in  web  site
	development, led us to  add  diagnostics  in  version  4.0x  to  display
	artificial changes in the cart_id that  showed  when  the  site  was  in
	debug mode.
	

	The vulnerability did not exist, as far as we can tell, at any  time  in
	a live store running in non-debug, or normal, mode. In debug  mode,  the
	offending javascript is displayed to the browser  exactly  as  given  to
	the site but has been escaped to the log file for security  reasons.  We
	are probably going to escape out the javascript display  even  in  debug
	mode on 4.0e. We want to balance the needs of debug mode, where we  show
	inner workings to a developer,  with  the  needs  to  be  as  secure  as
	possible.
	

	The current release version, 4.0d, needs to have debug mode  on  in  the
	manager and an internal cart_id tracking variable turned  on  explicitly
	to see the javascript issue. The web site store version  4.0c  displayed
	the javascript, as it was in debug mode and had  that  cart_id  variable
	turned on. The original post said it was version 3.3e,  but  the  actual
	cart used must have been 4.0x as \'stock\' version  3.3e  did  not  have
	the diagnostic code installed.
	

	The best thing to do is have debug mode turned off on a live store,  for
	this or any issue in fact. Debug mode is there to assist  developers  by
	showing errors on the browser (instead of having to  hunt  for  them  in
	the log file) but by its nature can give up some level of  security,  as
	well as make a site look and feel less attractive.
	

	 Update (28 Januarut 2002)

	 ======

	

	Steve added the following code to parse bad tags :
	

	

	# Special Security add-on library for agora versions 3.2b to 4.0d

	#

	# Puts the store in \'paranoia\' mode, all < and > chars are converted

	# to # chars if they are found in the input stream.

	#

	# May fix unknown and undiscovered problems, eliminates problems in

	# diagnostic mode in 4.0x.

	#

	# Install in store/custom directory, set permissions to 555

	#

	# Not required if running ashim40update.pl version 1/24/02 or later

	#

	# SPK Jan 24, 2002

	$versions{\'security_01242002\'} = \'01242002\';

	&add_codehook(\"alias_and_override_top\",\"special_security_f1_01242002\");

	sub special_security_f1_01242002 {

	 $form_data{\'cart_id\'} =~ s/</</g;

	 $form_data{\'cart_id\'} =~ s/>/>/g;

	 for $inx (keys %form_data) { 

	   $form_data{$inx} =~ s/</#/g;

	   $form_data{$inx} =~ s/>/#/g;

	  }

	 }

	&add_codehook(\"alias_and_override_end\",\"special_security_f2_01242002\");

	sub special_security_f2_01242002 {

	  if (!($form_data{\'cart_id\'} =~ /^([\\w\\-\\=\\+\\/]+)\\.(\\w+)/)) {

	    $form_data{\'cart_id\'} = \'\'; 

	   }

	 }

	#

	1; # Library