logo

Web

   Webdesign
   Webhosting
   Referenzen
   Kontakt

Security

   Aktuelle Meldungen
   Advisories
   Firewall
   Emailgateway

Consulting

   Beratung

Hinweise
   Aktuelle Meldungen    Advisories    Firewall    Emailgateway

ppp-design found the following cross-site-scripting bug in SunShop Shopping Cart:


Details

Product: SunShop Shopping Cart
Version: 2.5 and maybe all versions before
OS affected: all OS with php and mysql
Vendor-URL: http://www.turnkeywebtools.com
Vendor-Status: informed, patched
Security-Risk: high - very high
Remote-Exploit: Yes


Introduction

SunShop is a php/mysql based shopping system. Because it is a commercial solution ($99.99) we could not have a look into the source code. All impacts are tested in a demo shop on their website. SunShop is suffering a cross-site-scripting bug because none of the user inputs seems to be checked for malicious code.


More details

When registering as a new customer, none of the inputs is checked for malicious code. So a possible blackhat is able to insert some javascript stuff here, that is executed everytime the admin takes a look at the customer listing in the admin area, which is protected by http authentication. Together with some document.location.href stuff the blackhat is now able to redirect the admin to any page in the admin area. Because the admin is allready authenticated, the blackhat does not need to have the admin's password. The redirection makes it possible to do everything the admin can do, eg. generating new coupons.


Proof-of-concept

Enter the following name when registering as a new customer:

blackhat<script>alert('ouch')</script>

When the admin takes a look into his customer listing, the javascript code gets executed. Together with some more document.location.href the blackhat is able to do anything the admin can.


Temporary fix

We do not have the source code, so we cannot suggest any temporary fix.


Fix

Use the latest version.


Security-Risk

Because a possible blackhat could nearly control the whole shop we rate the security risk high - very high.


Vendor status

We have informed the vendor and he reacted very quickly. According to his statement the bug is now fixed.


Disclaimer

All information that can be found in this advisory is believed to be true, but maybe it isn't. ppp-design can not be held responsible for the use or missuse of this information. Redistribution of this text is only permitted if the text has not been altered and the original author ppp-design (http://www.ppp-design.de) is mentioned.