News:

Looking for documentation? Take a look on our wiki

Main Menu

Cross-site scripting attacks VM 2.0.6

Started by renangbarreto, April 29, 2012, 05:31:59 AM

Previous topic - Next topic

renangbarreto

Please, some dev. Take a look.
i'm using 2.0.6

-------------------------------------
Solution:
Restrict access to the vulnerable application. Contact the vendor for a patch or upgrade.

Output:
Using the POST HTTP method, Site Scanner found that :
+ The following resources may be vulnerable to cross-site scripting (comprehensive test) :
+ The 'customPrice[0][9]' parameter of the /CATEGORYNAME/index.php CGI :
/CATEGORYNAME/index.php [virtuemart_category_id[]=4&option=com_virtuemar
t&virtuemart_product_id[0]=25&view=cart&virtuemart_category_id[0]=4&quan
tity[0]=1&addtocart=Adicionar ao Cesto&virtuemart_manufacturer_id=1&cust
omPrice[0][9]=<<<<<<<<<<foo"bar'204>>>>>&task=add&quantity[]=1&virtuemar
t_product_id[]=25]
-------- output --------
<input type="hidden" name="view" value="cart" />
<input type="hidden" name="task" value="update" />
<input type="hidden" name="cart_virtuemart_product_id" value="25::9:<<<<
<<<<<<foo"bar'204>>>>>;" />
<input type="submit" class="vmicon vm2-add_quantity_cart" name="up [...]
</form>
------------------------
Other references : CWE:79, CWE:80, CWE:81, CWE:83, CWE:20, CWE:74, CWE:442, CWE:712, CWE:722, CWE:725, CWE:811, CWE:751, CWE:801, CWE:116, CWE:692, CWE:87, CWE:85, CWE:86, CWE:84

Studio 42

Hi,
This is a false report !

in function updateProductCart

      $cart_virtuemart_product_id = JRequest::getString('cart_virtuemart_product_id');
....
      if (array_key_exists($cart_virtuemart_product_id, $this->products)) {

If you set another value this is simply ignored ! You cannot change the value no only because Mysql injection but customer cheating.

Milbo

#2
As far we can see this should be fixed in  FE/helpers/cart.php line 411 - 418:

if ( is_array($custom_fieldId) ) {
foreach ($custom_fieldId as $userfieldId => $userfield) {
$productKey .= (int)$customId . ':' . (int)$userfieldId . ';';
}
} else {
$productKey .= (int)$customId . ':' .(int)$custom_fieldId . ';';
}


and in line 518 move the setCartIntoSession into the brackets.

// Save the cart
$this->setCartIntoSession();
}


[attachment cleanup by admin]
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

jjk

#3
I wouldn't trust GoDaddy's site scanner too much, as it seems to be the only one which thinks there is a vulnerability in VM2, even though its either a very low possibility or does not any harm. As far as I know their site scanner doesn't go deep into the system. So it might open a first privacy protection door, but doesn't recognize when there are additional armoured doors behind the first door. In general I think this old reply in the Joomla forum applies to your case, too.
See here: http://forum.joomla.org/viewtopic.php?t=682416
Non-English Shops: Are your language files up to date?
http://virtuemart.net/community/translations