*Advisory Information* Title: Zen-Cart Admin CSRF/XSRF - Delete / Disable Products Date published: 2012-02-10 01:59:45 AM upSploit Ref: UPS-2011-0018 CVE REF: CVE-2011-4403 *Advisory Summary* An attacker can force an administrator to delete or disable products from within his store. *Vendor* Zen-Cart *Affected Software* Zen-Cart v1.3.9h Zen Cart™ truly is the art of e-commerce; free, user-friendly, open source shopping cart software. The ecommerce web site design program is being developed by a group of like-minded shop owners, programmers, designers, and consultants that think ecommerce web design could be and should be done differently. *Description of Issue* This is a POC for CSRF on Zen-cart 1.3.9h admin control panel. By submitting this form from any location an attacker can cause the administrator to delete / disable products from his store. *PoC* Requirements 1. Admin user (target) must have a valid session id. Even if they have closed the admin window, this attack is still successful 2. The attacker must obtain the admin url * Social Engineer an admin user (trick them) * Packet Capture * Email headers * Invoice print out * * I know these have been addressed in your security forum topics, but most users are not aware of these issues 3. The attacker must obtain the product id * This is public information 4. The attack must then social engineer (trick them) into loading the page * Email with images * Post a forum topic with the images * Link them to a page on the attacker’s server Proof of Concept Delete: This form can be hidden and made to submit automatically on page load:









Disable: Proposed Solution * Add the security token conditional statement to the delete_product_confirm.php for all product types * This should be applied to all requests made within the admin control panel rather than just key operations *Credits* DisK0nn3cT *References* http://www.zen-cart.com/ http://www.owasp.org/index.php/Testing_for_CSRF_(OWASP-SM-005) *Patch/Fix* Update to the latest version