security bulletin - 3.3.0 up to 4.0.11

shan · #1 01-26-2005, 04:43 AM

Dear Customer,

This bulletin contains the latest security advisory for X-Cart users.

DESCRIPTION:
Recently several vulnerabilities of Cross Site Scripting (CSS) nature were discovered in X-Cart software. The vulnerability is caused by insufficient validation of input data. It can be exploited if a malicious person lures a customer to click on a specially crafted link located on a third party site or inside an email message that leads to the site with X-Cart software. This can result in a third party HTML or JavaScript code getting executed in the customer's browser that can be used for password or email fishing.
No remote access or unauthorized data disclosure can be gained as a direct result of this vulnerability.

SEVERITY:
Moderate

CONDITIONS:
Using IE browser.

IMPACT:
Third party HTML code or JavaScript can be injected and executed in the customer's browser if he follows a specially crafted link provided by a malicious person.

AFFECTED VERSIONS:
X-Cart versions since 3.3.0 up to 4.0.11

SOLUTION:
If your version is affected by this issue:
1) Download the patch archive file <xcart_security_fix_3.3.0-4.0.11_20050127.tgz> from your personal Help Desk account at https://secure.qualiteam.biz/ (Updates section of the file area)
2) Uncompress the archive.
3) Replace the script file 'globals.php' or 'prepare.php' (depending on the version of your X-Cart) located in the root directory of your X-Cart installation with an updated version of this file from the uncompressed archive folder (by overwriting).

The archive file <xcart_security_fix_3.3.0-4.0.11_20050127.tgz> contains fixes for all the affected versions.

funkydunk · #2 01-26-2005, 08:16 AM

funkydunk · #3 01-26-2005, 01:09 PM

3.5.xx code causes an infinite loop that throws up the error:

redirection limit for this url exceeded unable to load .....

john80y · #4 01-26-2005, 03:54 PM

Can someone explain how this is only moderate ???

DanUK · #5 01-26-2005, 11:44 PM

I've tried to use the 3.5.x version of prepare.php on my 3.5.4 installation and all I get is "page cannot be displayed" after a few seconds. Hopefully this won't be a security update I have to pay to have done

. Anyone else have problems?

Dan

funkydunk · #6 01-26-2005, 11:48 PM

yes i have on any site that i have put it on

have had to wind it back out because of the url redirection error.

xcart - can you fix your fix please?

ffs

DanUK · #7 01-27-2005, 12:01 AM

Well, at least it's not serious, being classed as "moderate"...I mean, it's not as if they can get the admin password or anything important

rrf · #8 01-27-2005, 01:00 AM

Quote:

Originally Posted by john80y

Can someone explain how this is only moderate ???

The one and only way to exploit it is to make a customer follow a link to your store using an URL provided by malicious person.

Sample 1: a hacker sends someone a link to your store by e-mail. The link will not look like www.yourstore.com, but www.yourstore.com/path/?a_lot_of_hackers_java_script_code_in_the URL.

If the customer visits the link sent to him by a hacker, hacker will be able to track the information he enters during the visit to your store.

Sample 2: a hacker puts a link on his site to your store. The link is corrupted, as in above sample. A person who visits hacker's site clicks the link, everything else is like in the sample#1.

There is no way to exploit this without:

1) Without hacker having to promote your store and promote it successfully, i.e. attracting new customers.
2) Without your customer trusting the hacker.

So, I would even call this quite a minor vulnerability. There is no known cases of ones who managed to exploit this vulnerability. The only reason why we did sent out the security notification is that our policy is to ALWAYS notify the customer about all known security issues.

funkydunk · #9 01-27-2005, 01:08 AM

Ruslan

Thanks for the reply

Can you confirm that your team are correcting the problem with the 3.5.x prepare.php script?

DanUK · #10 01-27-2005, 01:26 AM

Thanks Ruslan,

IMO, those examples don't sound too difficult for a hacker to do (correct me if I'm wrong). Hypethetically speaking, if someone wanted to target my store to steal the admin password, they could send an effective looking spam email to a few thousand email addresses to get people to visit the store e.g. with an attractive offer.

The fact that my server newgroup mentioned this issue this morning says that the word on this vulnerability is spreading, so the more chance there is for an exploit. Like funkydunk, I'm also hoping there will be a fix for the 3.5.x file.

Thanks

Dan