BugTraq
XSS and Data Manipulation attacks found in CMS PHPCart. Aug 28 2008 03:57AM
vaibhav aher (vaibhavaher gmail com)
Dear Sir,

I have found that the CMS PHPCart is vulnerable to XSS attack and Data
Manuplation I have attached the poc with the mail...... this exploit
is found by me 'h4x0r'

I hope u will publish it soon.

Thanks,

h4x0r

--

--
Vaibhav Aher
ISO27001,C|EH
Security Consultant
+91 09225325661
################################################################

# .___ __ _______ .___ #

# __| _/____ _______| | __ ____ \ _ \ __| _/____ #

# / __ |\__ \\_ __ \ |/ // ___\/ /_\ \ / __ |/ __ \ #

# / /_/ | / __ \| | \/ <\ \___\ \_/ \/ /_/ \ ___/ #

# \____ |(______/__| |__|_ \\_____>\_____ /\_____|\____\ #

# \/ \/ \/ #

# ___________ ______ _ __ #

# _/ ___\_ __ \_/ __ \ \/ \/ / #

# \ \___| | \/\ ___/\ / #

# \___ >__| \___ >\/\_/ #

# est.2007 \/ \/ forum.darkc0de.com #

################################################################

# -d3hydr8 - sinner_01 - baltazar - P47r1ck - C1c4Tr1Z - beenu #

# -rsauron - letsgorun - K1u - DON - OutLawz - MAGE -JeTFyrE #

#-r45c4l -Bond #

################################################################

#

# Author: h4x0r

#

# Home : www.darkc0de.com

#

# Email : vaibhavaher (at) gmail (dot) com [email concealed]

#

# Share the c0de!

#

################################################################

#

# Exploit: Multiple exploits (XSS & data manipulation) in PHPCart (PHP ECommerce Shopping Cart System ) v3.4 - 4.6.4

#

# Soft.Site: http://phpcart.net/

#

#Exploit 1: XSS

#

# phpCart is a open source web based php shopping cart system integrate for ecommece website. A user can run the #following script in "quantity" feild as # well as "Add Engraving" feild or any other feild where we can maually #inject the script, to get the current cookies.

#

# POC1:- http://www.site.com/phpcart/

# like <script>alert(document.cookie);</script> int the "quantity" feild as well as "Add Engraving" feild or any #other feild, to get the current cookies.

#

# POC2:- http://www.site.com/phpcart/phpcart.php

# Injection of XSS script "Quantity" feild is gives with the XSS attack.

#

# POC3:- http://www.site.com/phpcart/phpcart.php?action=checkout

# Injection of XSS script in input feild like "Name" "Company" "Address, Include City & Prov/State" gives with the #XSS attack.

#

# Live Demo:- http://phpcart.net/demo/phpcart/

#

#

# Exploit 2: Data manipulation

#

#DESCRIPTION:

#A vulnerability in PHPCart, which can be exploited by malicious people to manipulate orders.

#The problem is that the "price" and "postage" parameters are not properly verified in "phpcart.php". This can be #exploited to

#change the price of a product being bought by modifying the "price" parameter directly using a intermediate proxy.

#

#POC:- http://www.site.com/phpcart/phpcart.php

#It was discovered that the main process of online merchant payment was based solely on client-side verification.

#The PHP module (phpcart.php) received the payment amount from the client-side, forwards the amount and sends back

#the total price to the backend server for further payment process.

#There was no proper validation mechanism at the backend to validate the data which had been submitted by the PHP module.

#Potential attackers could tamper the data and modify the total amount.

#Before the transaction enters the merchant gate way we captured the data using intermediate proxy and the total amount shown as $XX as shown was tampered and changed.

#

#POC Example:

#Extract price of purchase:-

#ID Description Price Qty. Amount

#GB1000 Golf Balls - Long Distance 1 $28.95 + $14 shipping charges so total amount is 42.95

#

#Intercept before manipulaion:-

#After the Verification form when the page is redirecting to payment gateway the page is intermediated. The gateway selected is Paypal.

#

#User-Agent: Opera/9.26 (Windows NT 5.1; U; en)

#Host: www.paypal.com

#Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1#

#Accept-Language: en-US,en;q=0.9

#Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1

#Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0

#Referer: http://www.phpcart.net/demo/phpcart/phpcart.php

#Cookie: KHcl0EuY7AKSMgfvHl7J5E7hPtK=VDrukd29DPvnkTqVFUSeG52gR2iAX22piQHagEGhU

#Cookie2: $Version=1

#Connection: Keep-Alive, TE

#TE: deflate, gzip, chunked, identity, trailers

#Content-Type: application/x-www-form-urlencoded

#Content-Length: 286

#

#cmd=_xclick&upload=1&currency_code=USD&business=sales%40phpcart.net¬
ify_url=&

#item_name=Shopping+Cart+Order+-+B17B3A57D&return=&cancel_return=&invoic
e=B17B3A57D&

#firstname=xyz&lastname=qdqd&address1=sfsf&address2=sdfsf&city=sdfsf&sta
te=NE&zip=sfsf&rm=2&amount=42.95&handling_cart=18.00

#

#Here price=42.95 was tampered and manipulated to 1.95

#and u can see that the price on the paypal gateway will be 1.95$.

#

# Live Demo:- http://phpcart.net/demo/phpcart/

#

# Dork:- phpcart/phpcart.php?

# Dork:- Powered by phpCart

#

#

#

################################################################

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus