by r0t,der4444,cembo,VietMafia

Wednesday, December 14, 2005

ClickCartPro (CCP) XSS vuln.

ClickCartPro (CCP) XSS vuln.

Vuln. discovered by : r0t
Date: 14 dec. 2005
vendor:http://www.clickcartpro.com/
affected version:5.1 and prior

Product Description:

CCP is a full featured shopping cart engine that will install on virtually any webserver, and does not require root access or special modules. The entire software package uses SQL and a relational database model, which allows tie-ins to many RDBMS (MySQL, PostgreSQL, Microsoft SQL Server, etc.). It runs out of the box in CSV mode. 100% of the front-end and web based administrator is configurable using its 200+ functions. Features: multi-level categories, product downloads, data import/export, easy product option and relationship management, dynamic form and page generation, easy site layout editing, file uploads, discounts, order tracking, keyword search, flexible shipping with UPS integration or default and custom methods. Integrated with 28 payment processors including PayPal. Offline processing included.


Vuln. Description:

ClickCartPro contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "affl" parameter in "cp-app.cgi" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

example:

/cp-app.cgi?usr=51H4515590&rnd=57730
8&rrc=N&affl=%22%3E%3Cscript%3Ealert
('r0t')%3C/script%3E


Solution:
Edit the source code to ensure that input is properly sanitised.

1 Comments:

Anonymous Nick Hendler (Kryptronic) told...

Kryptronic, developer of ClickCartPro software, has issued an update to all 5.0 and 5.1 version of ClickCartPro which combat this XSS vulnerability.

More info here:

http://www.clickcartpro.com/forum/index.php?showtopic=12172

Public statement concerning the update:

This update contains modifications to the ClickCartPro codebase. These
new codebase modifications create a wrapper for public CGI requests and
strips characters from incoming formdata for those public CGI requests.

The use of this wrapper prevents user submitted formdata containing
HTML characters from being printed literally within the display routines.
ClickCartPro has begun to fail tests performed by site scanning bots
because of a positive return on cross-site-scripting tests.

To ensure these tests are passed by your site in the future and to
avoid security warnings from your hosting provider, we recommend you
apply this update.

7:14 PM

 

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew