Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
Magento Input Validation Flaws Permit Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1021746 |
|
SecurityTracker URL: http://securitytracker.com/id/1021746
|
|
CVE Reference:
CVE-2009-0541
(Links to External Site)
|
Date: Feb 24 2009
|
Impact:
Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): 1.2.0
|
Description:
Several vulnerabilities were reported in Magento. A remote user can conduct cross-site scripting attacks.
The administrator logon, administrator password reminder, and update downloader features do not properly filter HTML code from user-supplied input before displaying the input. A remote user can cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Magento software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
The vendor was notified on January 21, 2009.
Loukas Kalenderidis from SOS Labs reported this vulnerability.
|
Impact:
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Magento software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
|
Solution:
No solution was available at the time of this entry.
The vendor is working on a fix.
|
Vendor URL: www.magentocommerce.com/ (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
Linux (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 24 Feb 2009 09:02:35 +1100
Subject: [Full-disclosure] Magento Multiple Cross-Site Scripting
|
This is a multi-part message in MIME format.
--===============1657329346==
Content-class: urn:content-classes:message
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C99603.0FA1528E"
This is a multi-part message in MIME format.
------_=_NextPart_001_01C99603.0FA1528E
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Magento Multiple Cross-Site Scripting Vulnerabilities - Security =
Advisory - SOS-09-002
=20
Release Date. 24-Feb-2009
Vendor Notification Date. 21-Jan-2009
Product. Magento
Platform. Linux / PHP (verified), possibly others
Affected versions. Magento 1.2.0 (verified), possibly others
Severity Rating. Medium
Impact. Cookie/credential theft, impersonation, loss of confidentiality
Attack Vector. Remote without authentication=20
Solution Status. Vendor patch not yet available
CVE reference. CVE-2009-0541
=20
Details.
Magento is an ecommerce application. During an application penetration =
test Sense of Security identified multiple cross-site scripting =
vulnerabilities in the administrator logon, administrator password =
reminder and update downloader features of the Magento application. This =
occurred as a result of the application not properly filtering HTML tags =
which allowed malicious JavaScript to be embedded. When input is =
incorrectly validated and not properly sanitised and then displayed in a =
web page, attackers can trick users into viewing the web page and =
causing malicious code to be executed.=20
=20
Proof of Concept.
The following steps were tested prior to releasing this document on the =
Magento demo site at =
http://demo-admin.magentocommerce.com/index.php/admin/
=20
Admin Login Page:
On a failed login, the value entered into the username field of the =
admin login page is reflected back to the user without any output =
encoding.
Steps to reproduce:
1. Go to http://magento/index.php/admin/
2. Enter the following into the username field: =
"><script>alert('xss')</script>=20
3. Enter a nonsense value into the password field such as 'xxx'=20
4. Click the Login button=20
5. You will be presented with a JavaScript alert dialog box containing =
'xss'=20
=20
Password Reminder:
The password reminder function contains a similar vulnerability to the =
previous one. The value of the email address field is reflected back to =
the user without any output encoding if the entered email does not =
exist.
Steps to reproduce:
1. Go to http://magento/index.php/admin/index/forgotpassword/
2. Enter the following into the email address field: =
"><script>alert('xss')</script>
3. Click the Retrieve Password button
4. You will be presented with a JavaScript alert dialog box containing =
'xss'
=20
Magento Connect Downloader:
The Downloader contains a slightly different bug to two previously =
described. The 'return' parameter of the URL query string is inserted =
into an <a href=3D""> tag with no output encoding to facilitate the =
'Return to Magento Administration' link.
Steps to reproduce:
1. Go to =
http://magento/downloader/?return=3D%22%3Cscript%3Ealert('xss')%3C/script=
%3E
2. You will be presented with a JavaScript alert dialog box containing =
'xss'
=20
Solution.
The vendor has advised that the fix will be made available in the near =
future.
=20
Discovered by.
Loukas Kalenderidis from SOS Labs.
=20
About us.
Sense of Security is a leading provider of IT security and risk =
management solutions. Our team has expert skills in assessment and =
assurance, strategy and architecture, and deployment through to ongoing =
management. We are Australia's premier application security consultancy =
and trusted IT security advisor to many of the countries largest =
organisations.
Sense of Security Pty Ltd=20
Level 3, 66 King St
Sydney NSW 2000
AUSTRALIA
=20
T: +61 (0)2 9290 4444
F: +61 (0)2 9290 4455
W: http://www.senseofsecurity.com
E: info@senseofsecurity.com
------_=_NextPart_001_01C99603.0FA1528E
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<HTML dir=3Dltr><HEAD>=0A=
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Dunicode">=0A=
<META content=3D"MSHTML 6.00.6000.16809" name=3DGENERATOR></HEAD>=0A=
<BODY>=0A=
<DIV id=3DidOWAReplyText16471 dir=3Dltr>=0A=
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000 size=3D2>Magento =
Multiple Cross-Site Scripting Vulnerabilities - Security Advisory =
– SOS-09-002</FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000 =
size=3D2></FONT> </DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000 size=3D2>Release =
Date. 24-Feb-2009<BR>Vendor Notification =
Date. 21-Jan-2009<BR>Product. Magento<BR>Platform. Linux =
/ PHP (verified), possibly others<BR>Affected versions. Magento =
1.2.0 (verified), possibly others<BR>Severity =
Rating. Medium<BR>Impact. Cookie/credential theft, =
impersonation, loss of confidentiality<BR>Attack Vector. Remote =
without authentication <BR>Solution Status. Vendor patch not yet =
available<BR>CVE reference. CVE-2009-0541</FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000 =
size=3D2></FONT> </DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000 =
size=3D2>Details.<BR>Magento is an ecommerce application. During an =
application penetration test Sense of Security identified multiple =
cross-site scripting vulnerabilities in the administrator logon, =
administrator password reminder and update downloader features of the =
Magento application. This occurred as a result of the application not =
properly filtering HTML tags which allowed malicious JavaScript to be =
embedded. When input is incorrectly validated and not properly sanitised =
and then displayed in a web page, attackers can trick users into viewing =
the web page and causing malicious code to be executed. </FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000 =
size=3D2> <BR>Proof of Concept.<BR></FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000 size=3D2>The following =
steps were tested prior to releasing this document on the Magento demo =
site at <A =
href=3D"http://demo-admin.magentocommerce.com/index.php/admin/">http://de=
mo-admin.magentocommerce.com/index.php/admin/</A></FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000 =
size=3D2></FONT> </DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000 size=3D2>Admin Login =
Page:</FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000 size=3D2>On a failed =
login, the value entered into the username field of the admin login page =
is reflected back to the user without any output encoding.</FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000 size=3D2>Steps to =
reproduce:<BR>1. Go to <A =
href=3D"http://magento/index.php/admin/">http://magento/index.php/admin/<=
/A><BR>2. Enter the following into the username field: =
"><script>alert('xss')</script> <BR>3. Enter a =
nonsense value into the password field such as ‘xxx’ =
<BR>4. Click the Login button <BR>5. You will be presented =
with a JavaScript alert dialog box containing ‘xss’ =
</FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000 =
size=3D2></FONT> </DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000 size=3D2>Password =
Reminder:</FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000 size=3D2>The password =
reminder function contains a similar vulnerability to the previous one. =
The value of the email address field is reflected back to the user =
without any output encoding if the entered email does not =
exist.</FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000 size=3D2>Steps to =
reproduce:<BR>1. Go to <A =
href=3D"http://magento/index.php/admin/index/forgotpassword/">http://mage=
nto/index.php/admin/index/forgotpassword/</A><BR>2. Enter the =
following into the email address field: =
"><script>alert('xss')</script><BR>3. Click the =
Retrieve Password button<BR>4. You will be presented with a =
JavaScript alert dialog box containing ‘xss’</FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000 =
size=3D2></FONT> </DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000 size=3D2>Magento =
Connect Downloader:</FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000 size=3D2>The =
Downloader contains a slightly different bug to two previously =
described. The ‘return’ parameter of the URL query string is =
inserted into an <a href=3D””> tag with no output =
encoding to facilitate the ‘Return to Magento =
Administration’ link.</FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000 size=3D2>Steps to =
reproduce:<BR>1. Go to <A =
href=3D"http://magento/downloader/?return=3D%22%3Cscript%3Ealert('xss')%3=
C/script%3E">http://magento/downloader/?return=3D%22%3Cscript%3Ealert('xs=
s')%3C/script%3E</A><BR>2. You will be presented with a JavaScript =
alert dialog box containing ‘xss’</FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000 =
size=3D2></FONT> </DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000 =
size=3D2>Solution.<BR>The vendor has advised that the fix will be made =
available in the near future.</FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000 =
size=3D2></FONT> </DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000 size=3D2>Discovered =
by.<BR>Loukas Kalenderidis from SOS Labs.</FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000 =
size=3D2></FONT> </DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000 size=3D2>About =
us.<BR>Sense of Security is a leading provider of IT security and risk =
management solutions. Our team has expert skills in assessment and =
assurance, strategy and architecture, and deployment through to ongoing =
management. We are Australia’s premier application security =
consultancy and trusted IT security advisor to many of the countries =
largest organisations.<BR></FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000 size=3D2>Sense of =
Security Pty Ltd <BR>Level 3, 66 King St<BR>Sydney NSW =
2000<BR>AUSTRALIA</FONT></DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000 =
size=3D2></FONT> </DIV>=0A=
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000 size=3D2>T: +61 (0)2 =
9290 4444<BR>F: +61 (0)2 9290 4455<BR>W: <A =
href=3D"http://www.senseofsecurity.com">http://www.senseofsecurity.com</A=
><BR>E: <A =
href=3D"mailto:info@senseofsecurity.com">info@senseofsecurity.com</A><BR>=
</DIV></FONT></DIV></BODY></HTML>
------_=_NextPart_001_01C99603.0FA1528E--
--===============1657329346==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--===============1657329346==--
|
|
Go to the Top of This SecurityTracker Archive Page
|
