New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Multiple reflecting XSS-, SQLi- and InformationDisclosure-vulnerabilities in Zeuscart v.4 #28

Closed
ghost opened this Issue Jan 21, 2015 · 8 comments

Comments

Projects
None yet
1 participant
@ghost

ghost commented Jan 21, 2015

Dear developer team.

I found multiple reflecting XSS-, SQLi- and InformationDisclosure-vulnerabilities in Zeuscart v.4 (current Github version).

Please tell me, if you are interested in getting the information provided to patch the issues. If you are interested, please tell me an email-address where I can send my informations to or if I should post here directly.

I am gonna releasing a security advisory on this issues (without technical details) on my blog. See http://sroesemann.blogspot.de/2015/01/sroeadv-2015-12.html. If you are not responding until the 4th February 2015 (UTC+1), I will as well release the technical details of this issue and send it to the security mailing list FullDisclosure.

Greetings from Germany.

Steffen Rösemann

@karthick-ajsquare

This comment has been minimized.

Contributor

karthick-ajsquare commented Jan 22, 2015

Hello Mr. Steffen Rösemann

Thanks for posting the issue.

Please send us more details to support@zeuscart.com , karthick@ajsquare.com

We are committed to make the needful fixes and updates

Thanks

Karthick

From: Steffen Rösemann [mailto:notifications@github.com]
Sent: Wednesday, January 21, 2015 10:56 PM
To: ZeusCart/zeuscart
Subject: [zeuscart] Multiple reflecting XSS-, SQLi- and InformationDisclosure-vulnerabilities in Zeuscart v.4 (#28)

Dear developer team.

I found multiple reflecting XSS-, SQLi- and InformationDisclosure-vulnerabilities in Zeuscart v.4 (current Github version).

Please tell me, if you are interested in getting the information provided to patch the issues. If you are interested, please tell me an email-address where I can send my informations to or if I should post here directly.

I am gonna releasing a security advisory on this issues (without technical details) on my blog. See http://sroesemann.blogspot.de/2015/01/sroeadv-2015-12.html. If you are not responding until the 4th February 2015 (UTC+1), I will as well release the technical details of this issue and send it to the security mailing list FullDisclosure.

Greetings from Germany.

Steffen Rösemann


Reply to this email directly or view it on GitHub #28 . https://github.com/notifications/beacon/ACOUtsZyGpEDv23bcRlApyAh41foiHAXks5nj9iVgaJpZM4DVWSS.gif

@ghost

This comment has been minimized.

ghost commented Jan 22, 2015

Done a minute ago! Thanks for reply!

Greetings!

@ghost

This comment has been minimized.

ghost commented Feb 3, 2015

Dear developer team.

Its been 12 days since my initial report about these issues and I haven't got a reply from you since my email.

Any news?

Greetings.

Steffen Rösemann

@karthick-ajsquare

This comment has been minimized.

Contributor

karthick-ajsquare commented Feb 4, 2015

HI,

Updated the assembler
fa919a5

Please check it and review.

On your feedback. I'll update it in Master

Thanks

@karthick-ajsquare karthick-ajsquare self-assigned this Feb 4, 2015

@karthick-ajsquare karthick-ajsquare added bug and removed bug labels Feb 4, 2015

@ghost

This comment has been minimized.

ghost commented Feb 5, 2015

Hello.

I will test the provided vulnerabilities with an updated version of the assembler file at the weekend and give you a feedback.

Greetings.

@ghost

This comment has been minimized.

ghost commented Feb 7, 2015

Hello.

I just checked the vulnerabilities with the updated Assembler.php, which you provided above. The vulnerabilities are still there and can be abused by attackers.

XSS attacks can be carried out by more than just using a script-tag (as provided in my examples) and can be quite complex.
Consider using third party libraries like HTMLPurifier (http://htmlpurifier.org) to prevent XSS-attacks and use PHP's intval()-function to prevent SQL injections in the vulnerable id-parameters.

The information disclosure vulnerability is caused because the page seems to not check, if the user is logged in as an administrator and has the rights to see this site. You could use some code, that checks for a valid administrators session and redirects to index.php, if the user does not have a valid session.

Greetings.

Steffen Rösemann

@ghost

This comment has been minimized.

ghost commented Feb 19, 2015

Hello Karthick.

Its been 29 days since my initial request.

Are you working on a patch? How should we go on to handle this issue?

Please give me more information.

Thank you!

Greetings

Steffen Rösemann

@ghost

This comment has been minimized.

ghost commented Feb 22, 2015

After you refused to respond to my offers/questions, I decided to publish the details of the issues, which I provided you a month ago and gave the opportunity to figure out a solution for them together.

To give responsible administrators the chance to decide using your ECommerce-CMS, I have sent the technical details as well to the security mailing list FullDisclosure.

@ghost ghost closed this Feb 22, 2015

This issue was closed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment