CORE-2010-0406 - User Invoices Persistent XSS Vulnerability in CactuShop

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

  Core Security Technologies - CoreLabs Advisory
            http://corelabs.coresecurity.com/

User Invoices Persistent XSS Vulnerability in CactuShop

1. Advisory Information

Title: User Invoices Persistent XSS Vulnerability in CactuShop
Advisory Id: CORE-2010-0406
Advisory URL:
[http://www.coresecurity.com/content/cactushop-xss-persistent-vulnerability]
Date published: 2010-04-20
Date of last update: 2010-04-20
Vendors contacted: Cactusoft International and Cactusoft Ltd.
Release mode: Coordinated release

2. Vulnerability Information

Class: Cross site scripting [CWE-79]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2010-1486
Bugtraq ID: 39587

3. Vulnerability Description

CactuShop [http://www.cactushop.com] is an ASP shopping cart designed
to provide a powerful base for e-commerce web sites hosted on
Microsoft Windows web servers. A Cross Site Scripting (XSS)
vulnerability has been discovered in CactuShop. This vulnerability
occurs in the file that processes the user invoices ('_invoice.asp').
A malicious user can abuse of this flaw by requesting for an invoice
and thus tricking an admin user into issuing him an invoice.

4. Vulnerable packages

   . CactuShop v6.1.
   . Older versions are probably affected too, but they were not checked.

5. Non-vulnerable packages

   . CactuShop v6.155.

6. Vendor Information, Solutions and Workarounds

The change made to the file '_invoice.asp' was to use the 'WriteSafe'
function on lines 88 and 100:

/-----
87 …
88 O_BillingAddress = WriteSafe(replace(O_BillingAddress, vbcrlf &
vbcrlf, vbcrlf))

99 …
100 O_ShippingAddress = WriteSafe(replace(O_ShippingAddress, vbcrlf &
vbcrlf, vbcrlf))

• -----/
  This function HTML encodes any code an attacker might try to insert
  into the addresses to be run. This patch was applied to CactuShop v6.155.

7. Credits

This vulnerability was discovered and researched by 7Safe
[http://www.7safe.com/].

8. Technical Description / Proof of Concept Code

A Cross Site Scripting vulnerability has been discovered in the file
that processes the user invoices: '_invoice.asp'. This occurs when a
user with a malicious billing address
('"/><script>alert(1);</script>') requests for an invoice and could
thus trick an admin user into issuing him an invoice.

9. Report Timeline

. 2010-04-06:
Core Security Technologies notifies the CactuShop team two
vulnerabilities in their software, a XSS vulnerability and a
SQL-Injection vulnerability. April 19th, 2010, is proposed as a
release date.

. 2010-04-07:
The CactuShop team asks Core for a technical description of the
vulnerabilities.

. 2010-04-07:
Technical details sent to CactuShop team by Core.

. 2010-04-08:
The CactuShop team confirms the XSS vulnerability but notifies they do
not think the SQL-Injection belongs to CactuShop code; it looks like
it may be a customer modification.

. 2010-04-09:
Core agrees the code with the SQL-Injection vulnerability will be
probably a customer modification.

. 2010-04-12:
CactuShop team notifies they addresses the XSS problem and will make
the patch available for registered users from CactuShop website. The
release version of CactuShop will be v6.155.

. 2010-04-19:
Core notifies the advisory will be released tomorrow (2010-04-20).

. 2010-04-20:
The advisory CORE-2010-0406 is published.

10. About CoreLabs

CoreLabs, the research center of Core Security Technologies, is
charged with anticipating the future needs and requirements for
information security technologies. We conduct our research in several
important areas of computer security including system vulnerabilities,
cyber attack planning and simulation, source code auditing, and
cryptography. Our results include problem formalization,
identification of vulnerabilities, novel solutions and prototypes for
new technologies. CoreLabs regularly publishes security advisories,
technical papers, project information and shared software tools for
public use at: [http://corelabs.coresecurity.com/].

11. About Core Security Technologies

Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources
are exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and
software security auditing. Based in Boston, MA and Buenos Aires,
Argentina, Core Security Technologies can be reached at 617-399-6980
or on the Web at [http://www.coresecurity.com].

12. Disclaimer

The contents of this advisory are copyright (c) 2010 Core Security
Technologies and (c) 2010 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper
credit is given.

13. PGP/GPG Keys

This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
[http://www.coresecurity.com/files/attachments/core_security_advisories.asc].

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkvOE+EACgkQyNibggitWa25twCdEfdylGmZa3pvpBuGjhD9d1iu
CBsAnjctGklHyy8HpjwW6hxZy4eFDXpl
=7dM0
-----END PGP SIGNATURE-----