Archive for February 19th, 2013

Squirrelcart v3.5.4 (table) Remote Cross-Site Scripting Vulnerability

Squirrelcart suffers from a XSS issue due to a failure to properly sanitize user-supplied input to the ‘table’ GET parameter in the ‘index.php’ script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

Squirrelcart XSS

Vendor:

Squirrelcart Security Patch #SC130218
Release date: 02/19/2013

XSS (Cross Site Scripting) vulnerability patch
Affected Squirrelcart versions: v2.0.0 – 3.5.4

How to find your version number:
———————————————————————
You can locate your Squirrelcart version in the upper right hand corner of your control panel.

Patch Info and Instructions
———————————————————————
This is a patch for protecting against a XSS (Cross Site Scripting) vulnerability that was discovered on 02/19/2013 by Zero Science Lab:
http://www.zeroscience.mk/. This vulnerability is due to the table parameter passed in the control panel not being sanitized properly,
and can result in HTML or Javascript being inserted into the page.

http://www.squirrelcart.com/downloads.php
http://www.squirrelcart.com/index.php?downloads=1&id=123

ZSL Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5128.php

Piwigo 2.4.6 (install.php) Remote Arbitrary File Read/Delete Vulnerability

Input passed to the ‘dl’ parameter in ‘install.php’ script is not properly sanitised before being used to get the contents of a resource or delete files. This can be exploited to read and delete arbitrary data from local resources with the permissions of the web server via directory traversal attack.


/install.php:
-------------

113: if (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']))
114: {
115: $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'];
116: header('Cache-Control: no-cache, must-revalidate');
117: header('Pragma: no-cache');
118: header('Content-Disposition: attachment; filename="database.inc.php"');
119: header('Content-Transfer-Encoding: binary');
120: header('Content-Length: '.filesize($filename));
121: echo file_get_contents($filename);
122: unlink($filename);
123: exit();
124: }



Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php