Low Level XSS Security Exploit in Admin CP

[abrookbanks]

The following low level security issue has been reported which could allow session data to be stolen in the unlikely event the browsers user agent is malformed with malicious code. This is considered to be a very low level threat and the chances of actual exploitation are expected to be slim to none.

Thanks goes to Ilca Lucian for the following report.

Description

This sub domain is vulnerable to an client side security issue named Cross-Site-Scripting , because the value of the untrusted input is render back to the user.
This can cause :
-authentication/cookie thief
-phishing
-malicious application installation in the shop.

The P.o.C / Exploit

Host: .mystore.com
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.4.0'">
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://.mystore.comt/admin.php?_g=login
Cookie: d033f3275721410783e1a770ff9915a471426279907; PHPSESSID=6vbiogcqke43vi9aohmi7rd8q2; nav_Customers=true; PHPSESSID=6vbiogcqke43vi9aohmi7rd8q2
Connection: keep-alive

Cross Site Scripting [XSS] CubeCart v.6

In this demonstration I used a XSS vector that will echo the cookie in the main page in which the vector is executed thru the "search" parameter.
This client side security issue was tested in a controlled environment with the following configuration:
OS: Debian Wheezy
Browser: Mozilla Firefox & Google Chrome

Remediation

My remediation for this kind of problem is: to parameterize the untrusted input so it is not confused as its own javascript code and executes.