Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » ppp-design found the following cross-site-scripting bug in SunShop

ppp-design found the following cross-site-scripting bug in SunShop

by Nikola Strahija on April 15th, 2002 SunShop is a php/mysql based shopping system. Because it is a commercial solution ($99.99) we could not have a look into the source code. All impacts are tested in a demo shop on their website. SunShop is suffering a cross-site-scripting bug because none of the user inputs seems to be checked for malicious code.


More details
- ------------
When registering as a new customer, none of the inputs is checked for
malicious code. So a possible blackhat is able to insert some javascript
stuff here, that is executed everytime the admin takes a look at the
customer listing in the admin area, which is protected by http
authentication. Together with some document.location.href stuff the
blackhat is now able to redirect the admin to any page in the admin
area. Because the admin is allready authenticated, the blackhat does not
need to have the admin's password. The redirection makes it possible to
do everything the admin can do, eg. generating new coupons.



Proof-of-concept
- ----------------
Enter the following name when registering as a new customer:


blackhatalert('ouch')


When the admin takes a look into his customer listing, the javascript
code gets executed. Together with some more document.location.href the
blackhat is able to do anything the admin can.



Temporary fix
- -------------
We do not have the source code, so we cannot suggest any temporary fix.



Fix
- ---
Use the latest version.



Security-Risk
- -------------
Because a possible blackhat could nearly control the whole shop we rate
the security risk high - very high.



Vendor status
- -------------
We have informed the vendor and he reacted very quickly. According to
his statement the bug is now fixed.



Disclaimer
- ----------
All information that can be found in this advisory is believed to be
true, but maybe it isn't. ppp-design can not be held responsible for the
use or missuse of this information. Redistribution of this text is only
permitted if the text has not been altered and the original author
ppp-design (http://www.ppp-design.de) is mentioned.


This advisory can be found online at:
http://www.ppp-design.de/advisories.php




- --


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »