Post by dfumagalli » Sat Sep 06, 2014 1:16 am

Hello,

I have run a security scan (Qualys) on an OpenCart 1.5.6 installation and it detected a number of minor issues but also two major vulnerabilities: XSS and SQL injection.

Now, I can't upload the massive report it generated but I can show a sample of what it has detected.
One of the OpenCart devs could see if the reports are a false positive or a real threat:

Reflected Cross-Site Scripting (XSS) Vulnerabilities

QID: 150001 CVE Base: – Port: - CVSS Temporal: – Category: Web Application CVE ID:

[omissis]
The XSS payload is echoed in HTML document returned by the request. An XSS payload may consist of HTML, JavaScript or other content that will be rendered by the browser.
[omissis]

I think it put in a "qss" and a google query string here and there, the test output was this:

Code: Select all

null -- oogle.com/share?url=http://www.domain.tld/" target="_blank"></a></li>      
</ul>
</div>  <div class="breadcrumb">
        <a href="http://www.domain.tld/">Home</a>
         » <a href="http://www.domain.tld/search?tag=regalo"'><qss>">Ricerca</a>
      </div>
  <h1>Ricerca</h1>
  <b>Criteri di Ricerca</b>
  <div class="content">
    <p>Ricerca:            <input type="text" name="search" value="" onclick="this.value = '';" onkeydown="this.style.color = '000000'" style="co,null -- gle.com/share?url=http://www.domain.tld/" target="_blank"></a></li>      
</ul>
</div>  <div class="breadcrumb">
        <a href="http://www.domain.tld/">Home</a>
         » <a href="http://www.domain.tld/search?tag="'><qss a=X157525300Y1Z>">Ricerca</a>
      </div>
  <h1>Ricerca</h1>
  <b>Criteri di Ricerca</b>
  <div class="content">
    <p>Ricerca:            <input type="text" name="search" value="" onclick="this.value = '';" onkeydown="this.style.color = '000000'" s,null -- /plus.google.com/share?url=http://www.domain.tld/" target="_blank"></a></li>      
</ul>
</div>  <div class="breadcrumb">
        <a href="http://www.domain.tld/">Home</a>
         » <a href="http://www.domain.tld/search?tag="><qss>">Ricerca</a>
      </div>
  <h1>Ricerca</h1>
  <b>Criteri di Ricerca</b>
  <div class="content">
    <p>Ricerca:            <input type="text" name="search" value="" onclick="this.value = '';" onkeydown="this.style.color = '000000'" style="co,null -- e.com/share?url=http://www.domain.tld/" target="_blank"></a></li>      
</ul>
</div>  <div class="breadcrumb">
        <a href="http://www.domain.tld/">Home</a>
         » <a href="http://www.domain.tld/search?tag=rose rosse"'><qss>">Ricerca</a>
      </div>
  <h1>Ricerca</h1>
  <b>Criteri di Ricerca</b>
  <div class="content">
    <p>Ricerca:            <input type="text" name="search" value="" onclick="this.value = '';" onkeydown="this.style.color = '000000'" style="co,null -- oogle.com/share?url=http://www.domain.tld/" target="_blank"></a></li>      
</ul>
</div>  <div class="breadcrumb">
        <a href="http://www.domain.tld/">Home</a>
         » <a href="http://www.domain.tld/search?tag="'><qss `;!--=&{()}>">Ricerca</a>
      </div>
  <h1>Ricerca</h1>
  <b>Criteri di Ricerca</b>
  <div class="content">
    <p>Ricerca:            <input type="text" name="search" value="" onclick="this.value = '';" onkeydown="this.style.color = '000000'" sty,null -- oogle.com/share?url=http://www.domain.tld/" target="_blank"></a></li>      
</ul>
</div>  <div class="breadcrumb">
        <a href="http://www.domain.tld/">Home</a>
         » <a href="http://www.domain.tld/search?tag=gadget"'><qss>">Ricerca</a>
      </div>
  <h1>Ricerca</h1>
  <b>Criteri di Ricerca</b>
  <div class="content">
    <p>Ricerca:            <input type="text" name="search" value="" onclick="this.value = '';" onkeydown="this.style.color = '000000'" style="co,null -- ogle.com/share?url=http://www.domain.tld/" target="_blank"></a></li>      
</ul>
</div>  <div class="breadcrumb">
        <a href="http://www.domain.tld/">Home</a>
         » <a href="http://www.domain.tld/search?tag=bouquet"'><qss>">Ricerca</a>
      </div>
  <h1>Ricerca</h1>
  <b>Criteri di Ricerca</b>
  <div class="content">
    <p>Ricerca:            <input type="text" name="search" value="" onclick="this.value = '';" onkeydown="this.style.color = '000000'" style="co,null -- oogle.com/share?url=http://www.domain.tld/" target="_blank"></a></li>      
</ul>


Blind SQL injection vulnerability

[omissis]
How It Works:
The WAS scanning engine uses a well known methodology called "True and False" inference to determine if there is a blind SQL injection vulnerability. Basically, it uses two payloads: one with a "True condition" and another with a "False condition". If there is a blind SQL injection vulnerability, the query with the "True condition" payload will cause the web application to return a different response than the "False condition".
A good example of a "True condition" payload would be ' AND 1=1 . Since 1 always equals 1, the condition is true. An example of a "False condition" payload would be ' AND 1=2 . Since 1 does not equal 2, the condition is false.

For example, let's say there is a web application with a textbox that searches for customer names and displays the results inside a table. And let's assume that if someone searches for John there is one result only. When scanning for the blind SQL injection vulnerability, the WAS scanning engine uses two payloads:
- True condition payload : This injects the string John' AND 1=1 to issue the query "return John only if 1=1" . Since 1 always equals 1 the condition is true. The result is John, which is the same result as using the string John.

- False condition payload: This injects the string John' AND 1=2 to issue the query "return John only if 1=2". Since 1 is never equal to 2, the condition is false. The result is nothing or "No results found".

With the results from the two payloads, the WAS scanning engine draws the conclusion that there is a blind SQL injection vulnerability. Even though there is no one called "John' AND 1=1" in the database, web application displays information for "John" if a search is done with that query string.
[omissis]

Here's the snippet it reported:
http://www.domain.tld/roses/bouquet-red ... %20NULL%20 -- This vulnerability was identified using the difference in responses for TRUE and FALSE payloads. This vulnerability is confirmed based on the difference in the response content.

Content of all TRUE responses differ from FALSE responses.

True condition:

http://www.domain.tld/roses/bouquet-red ... %20NULL%20

False condition:

http://www.domain.tld/roses/bouquet-red ... %20NULL%20
I think it complains about the order=ASC, does the parameter value get put in a query as is?


I have the full report if someone of the OpenCart devs wants to check it out by himself.

Heavy OpenCart Customizations. Current project in progress: fleurworld.com


Active Member

Posts

Joined
Tue Aug 20, 2013 3:34 am
Who is online

Users browsing this forum: No registered users and 4 guests