search

ZeusCart / zeuscart

ZeusCart - PHP - MySQL Based Open Source Shopping Cart - Resposnive Design - GPL License
http://zeuscart.com
42 stars 118 forks source link

Multiple reflecting XSS-, SQLi- and InformationDisclosure-vulnerabilities in Zeuscart v.4 #28

Closed ghost closed 9 years ago

ghost commented 9 years ago

Dear developer team.

I found multiple reflecting XSS-, SQLi- and InformationDisclosure-vulnerabilities in Zeuscart v.4 (current Github version).

Please tell me, if you are interested in getting the information provided to patch the issues. If you are interested, please tell me an email-address where I can send my informations to or if I should post here directly.

I am gonna releasing a security advisory on this issues (without technical details) on my blog. See http://sroesemann.blogspot.de/2015/01/sroeadv-2015-12.html. If you are not responding until the 4th February 2015 (UTC+1), I will as well release the technical details of this issue and send it to the security mailing list FullDisclosure.

Greetings from Germany.

Steffen Rösemann

zeuscart7 commented 9 years ago

Hello Mr. Steffen Rösemann

Thanks for posting the issue.

Please send us more details to support@zeuscart.com , karthick@ajsquare.com

We are committed to make the needful fixes and updates

Thanks

Karthick

From: Steffen Rösemann [mailto:notifications@github.com] Sent: Wednesday, January 21, 2015 10:56 PM To: ZeusCart/zeuscart Subject: [zeuscart] Multiple reflecting XSS-, SQLi- and InformationDisclosure-vulnerabilities in Zeuscart v.4 (#28)

Dear developer team.

I found multiple reflecting XSS-, SQLi- and InformationDisclosure-vulnerabilities in Zeuscart v.4 (current Github version).

Please tell me, if you are interested in getting the information provided to patch the issues. If you are interested, please tell me an email-address where I can send my informations to or if I should post here directly.

I am gonna releasing a security advisory on this issues (without technical details) on my blog. See http://sroesemann.blogspot.de/2015/01/sroeadv-2015-12.html. If you are not responding until the 4th February 2015 (UTC+1), I will as well release the technical details of this issue and send it to the security mailing list FullDisclosure.

Greetings from Germany.

Steffen Rösemann

— Reply to this email directly or view it on GitHub https://github.com/ZeusCart/zeuscart/issues/28 . https://github.com/notifications/beacon/ACOUtsZyGpEDv23bcRlApyAh41foiHAXks5nj9iVgaJpZM4DVWSS.gif

ghost commented 9 years ago

Done a minute ago! Thanks for reply!

Greetings!

ghost commented 9 years ago

Dear developer team.

Its been 12 days since my initial report about these issues and I haven't got a reply from you since my email.

Any news?

Greetings.

Steffen Rösemann

zeuscart7 commented 9 years ago

HI,

Updated the assembler https://github.com/ZeusCart/zeuscart/commit/fa919a5e4887a7d348166eac4f10b041684208ca

Please check it and review.

On your feedback. I'll update it in Master

Thanks

ghost commented 9 years ago

Hello.

I will test the provided vulnerabilities with an updated version of the assembler file at the weekend and give you a feedback.

Greetings.

ghost commented 9 years ago

Hello.

I just checked the vulnerabilities with the updated Assembler.php, which you provided above. The vulnerabilities are still there and can be abused by attackers.

XSS attacks can be carried out by more than just using a script-tag (as provided in my examples) and can be quite complex. Consider using third party libraries like HTMLPurifier (http://htmlpurifier.org) to prevent XSS-attacks and use PHP's intval()-function to prevent SQL injections in the vulnerable id-parameters.

The information disclosure vulnerability is caused because the page seems to not check, if the user is logged in as an administrator and has the rights to see this site. You could use some code, that checks for a valid administrators session and redirects to index.php, if the user does not have a valid session.

Greetings.

Steffen Rösemann

ghost commented 9 years ago

Hello Karthick.

Its been 29 days since my initial request.

Are you working on a patch? How should we go on to handle this issue?

Please give me more information.

Thank you!

Greetings

Steffen Rösemann

ghost commented 9 years ago

After you refused to respond to my offers/questions, I decided to publish the details of the issues, which I provided you a month ago and gave the opportunity to figure out a solution for them together.

To give responsible administrators the chance to decide using your ECommerce-CMS, I have sent the technical details as well to the security mailing list FullDisclosure.