-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The full text of this advisory can be found at:
http://www.madirish.net/?article=445

Description of Vulnerability:
- -----------------------------
Magento (http://www.magentocommerce.com/) is an eCommerce platform
written in MySQL and PHP.  Magento contains numerous serious cross site
scripting (XSS) vulnerabilities.

Systems affected:
- -----------------
Magento community edition version 1.3.2.43 was tested and shown to be
vulnerable

Mitigating factors
- ------------------
None of the vulnerabilities described below can be exploited by
unauthenticated users.  An attacker must have credentials to access the
site in order to perform the proof of concept attacks detailed below.

Vulnerable fields:
- ------------------
The following is a list of fields and presentation screens that suffer
from cross site scripting vulnerabilities:

== Product Name ==
The Magento platform suffers from a XSS vulnerability because it does
not properly sanitize the 'product name'

Proof of concept:
1.  Click on Catalog -> Manage Products and click the 'Add Product' button
2.  Select default settings and click the 'Continue' button
3.  Enter "<script>alert('xss');</script>" in the 'Name' field
4.  Enter arbitrary data in the other required fields and click the
'Save' button
5.  Click on Sales -> Orders then 'Create New Order'
6.  Select any customer
7.  Click 'Add Products'
8.  Select the newly created product and lick 'Add Selected Product(s)
to Order'
9.  Observe the JavaScript alert

== Product SKU ==
The Magento platform suffers from a XSS vulnerability because it does
not properly sanitize the 'product SKU'

Proof of concept:
1.  Create a new product as above, except enter the script value for the
product SKU
2.  Create a new review of the product from Catalog -> Reviews and
Ratings -> Cutomer Reviews -> All Reviews and clicking the 'Add New
Review' button
3.  Save the product review to view the JavaScript

== Product Description ==
The Magento platform suffers from a XSS vulnerability because it does
not properly sanitize the 'product description'.  Any Javascript in a
product description will be rendered when a customer views the product
details of that product.

== Customer Group Name ==
The Magento platform suffers from a XSS vulnerability because it does
not properly sanitize the 'customer group name'

Proof of concept:
1.  Click on Customers -> Customer Groups
2.  Click the 'Add New Customer Group' button
3.  Enter "<script>alert('xss');</script>" for the 'Group Name'
4.  Click 'Save Customer Group'
5.  Click Customers -> Manage Customers
6.  Observe the JavaScript alert (twice)

== Product Category Name ==
The Magento platform suffers from a XSS vulnerability because it does
not properly sanitize the 'Product category name'

Proof of concept:
1.  Click on Catalog -> Manage Categories
2.  Click on 'Add Root Category'
3.  Click on the 'General Information' tab
4.  Enter "<script>alert('xss');</script>" for the 'Name'
5.  Click the 'Save Category' button
6.  Click the new category name from the left
7.  Observe the Javascript alert

== Attribute Set ==
The Magento platform suffers from a XSS vulnerability because it does
not properly sanitize the 'Attribute set name'

Proof of concept:
1.  Click on Catalog -> Attributes -> Manage Attribute Sets
2.  Click the 'Add New Set' button
3.  Enter "<script>alert('xss');</script>" for the 'Name'
4.  Click 'Save Attribute Set'
5.  Observe the JavaScript alert

== Sitemap Path ==
The Magento platform suffers from a XSS vulnerability because it does
not properly sanitize the 'Sitemap path'

Proof of concept:
1.  Click on Catalog -> Google Sitemap
2.  Click 'Add Sitemap'
3.  Enter "<script>alert('xss');</script>" for the Path
4.  Click 'Save & Generate' button
5.  Observe the Javascript alert

== Customer Tax Class, Product Tax Class, Tax Rate ID ==
The Magento platform suffers from a XSS vulnerability because it does
not properly sanitize the 'Customer tax class name', 'Product tax class
name', or 'Tax rate id' fields

Proof of concept is only provided for Customer Tax Class (others follow
same methodology):
1.  Click on Sales -> Tax -> Customer Tax Classes
2.  Click the 'Add New' button
3.  Enter "<script>alert('xss');</script>" for the Class Name
4.  Click 'Save Class'
5.  Click on Sales -> Tax -> Manage Tax Rule
6.  Observe Javascript

N.B. The Product Tax Class XSS also affects the Catalog Advanced Search
page at index.php/catalogsearch/advanced/

== Poll Question ==
The Magento platform suffers from a XSS vulnerability because it does
not properly sanitize the 'Poll Question' or 'Poll Answer' fields

Proof of concept:
1.  Click on CMS -> Poll Manager
2.  Click the 'Add New Poll' button
3.  Enter "<script>alert('xss');</script>" for the Poll Question
4.  Click the 'Poll Answers' tab
5.  Click the 'Add New Answer' button
6.  Enter "<script>alert('xss');</script>" for the Answer Title
7.  Click the 'Save Poll'
8.  Observe the Javascript alerts when the poll renders at index.php


== Architecture ==
Magento stores submitted values in the database without any filtration.
 In this model it becomes imperative that data be filtered for XSS
before display.  Whereas only one point of data input exists, there can
be countless points of data display that expand beyond Magento core as
modules are applied.  The polluted data layer allows XSS to creep
forward into display layers with ease unless extreme care is taken by
developers.

- -- 
Justin C. Klein Keane
http://www.MadIrish.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iPwEAQECAAYFAktCFkIACgkQkSlsbLsN1gAvpQb/VH2krfCKertSsXhFANajrmcL
7efU7cUQ2lJDBAXcbhojgf2G8wJEmShsj91TQ9juEvhG+3tVkffcMoUG2wFMnqrx
qRlS8gPCGIAdhIfLEpTeRHu2ANRpaJzrUrU9pAGHLPaRC+WTFrLlMfTK9k+jbutE
RTI2BgzDmX7cOz65CrKsQ4Y6TnNT2RscV1YL/c1VHJesgga7sRiPY/pdFW4mRCPg
ZcP0Bb78WEN1QAQl6nHtSEqZATvCnkbfiScKE6qfu2sksOlzNFUIqgSgME4mAJY1
grCgYAC/jMvY8jL4/Q8=
=eO2B
-----END PGP SIGNATURE-----