Results 1 to 16 of 16
  1. #1

    Security vulnerabilities in CS-Cart

    About a year ago I was evaluating some shopping cart software and came across CS-Cart. It looked nice, but I wanted to ensure it followed basic security recommendations.

    I found it does not, for example CSRF attacks are still possible through it. I alerted the developers, gave them a month to respond, they didn't, so I made my findings public.

    I was asked today if they are still valid and unfortunately they are.

    I can't post on their forums because I'm not a paying customer.

    If anyone uses CS-Cart or knows the developers, will you please find a way to pass on this information to them?

  2. #2
    Join Date
    Feb 2011
    Location
    Russia, Ulianovsk
    Posts
    27
    Dear leftnode,

    We've heard about this problem some time ago, but that was about earlier CS-Cart versions,now it is solved, as far as we know.

    We are able to write on CS-cart forums and we'll be glad to alert developers about it and pass all the information.
    Could you please PM us with a detailed description of the problem with example?

    << signatures are to be set up via profiles only >>
    Last edited by writespeak; 06-13-2011 at 12:09 PM.

  3. #3
    Unfortunately it hasn't been fixed.

    Here's what I wrote a year ago about it: << removed link to own site >>

    The vulnerabilities are still largely there.
    Last edited by writespeak; 06-13-2011 at 12:10 PM.

  4. #4
    Join Date
    Feb 2011
    Location
    Russia, Ulianovsk
    Posts
    27
    Dear leftnode,

    All vulnerabilities you've described are possible provided that the attacking side has the admin's rights. The point is the webstore software just can't garantee the safety of the password and login, it depends on an administrator himself. If an admin is caught by any fishing site or any other malicious-site.com trick, it's not store's fault, but admin's one.

    Anyway, in the latest CS-Cart versions (2.1.3 has been released these days) it's possible to switch on the safety protection from CSRF in the configs.

    As to other vunerabilities, since you wrote an article a year ago, many of them has been already fixed.

    << signatures are to be set up via profiles only >>
    Last edited by writespeak; 06-13-2011 at 12:10 PM.

  5. #5
    Sorry, that's a ridiculous excuse.

    While the Admin should be aware of phishing attacks, the vulnerability should be patched.

    Here's an example category I just created using the CSRF attack. Notice it also has an alert for JavaScript? So not only can I create a new category through a remote attack, I can inject malicious cross-site scripting code in it to attack anyone visiting the category.

    http://demo.cs-cart.com/professional/csrf-category.html

    Also, I don't see where it's an option to switch on protection in the Admin panel from their demo store. Point is, it shouldn't be an option to turn on or off.



    Additionally, I'm not sure why they have an issue admitting there's a security vulnerability. It happens to everyone, from Facebook to Google to Twitter. They've all had them at some point or another and are quickly patched. Fixing this is not difficult at all. Magento had the same error 2 years ago and they admitted to it and patched it. Why can't CS-Cart do the same?

  6. #6
    Join Date
    Oct 2002
    Location
    /roof/ledge
    Posts
    28,088
    Quote Originally Posted by leftnode View Post
    Here's an example category I just created using the CSRF attack.
    Quote Originally Posted by altteam View Post
    As to other vunerabilities, since you wrote an article a year ago, many of them has been already fixed.
    Do you represent that CS-Cart product here, altteam? I ask because that example was rather quickly removed, and you seem to be posting as if you're involved.
    Your one stop shop for decentralization

  7. #7
    Join Date
    Feb 2011
    Location
    Russia, Ulianovsk
    Posts
    27
    Dear bear,

    The demo version is renewed every hour. Everything you've done in demo is deleted in an hour.

    Dear leftnode,

    Unfortunately, I couldn't see an example, sorry for coming too late.

    << signatures are to be set up via profiles only >>
    Last edited by writespeak; 06-13-2011 at 12:11 PM.

  8. #8
    Join Date
    Feb 2011
    Location
    Russia, Ulianovsk
    Posts
    27
    Dear leftnode,

    we have put the blank web store on << link to own site removed >>

    If you are able to break into it, we'll get in touch with CS-Cart immediately and inform them about the vulnerability in the software.
    As to the case when an attacker gets rights to the admin panel, it's not important how exactly all datas will be deleted, cause in this case it'll be possible to delete whatever he likes without any additional knowledges.

    << Signatures are to be set up via profiles only >>
    Last edited by writespeak; 06-13-2011 at 12:11 PM.

  9. #9
    You're not understanding what's going on. Here, read what a CSRF attack is: http://en.wikipedia.org/wiki/Cross-site_request_forgery

    In other words, the admin logs into the website and while has the session open, clicks on a malicious link which executes the exploit. Because I'm not an admin, the website wouldn't trust me. I'd have to send you an email mimicking an email from the website that you then click on to execute the attack.

    I've more than proved the attack still exists. I've alerted the CS-Cart team several times, you're now aware of it. Continue using your insecure software.

  10. #10
    Join Date
    Feb 2011
    Location
    Russia, Ulianovsk
    Posts
    27
    Dear leftnode,

    Thank you for the clarification. We are discussing with CS-Cart now regarded this question. We will keep this post informed.

    << Signatures are to be set up via profiles only >>
    Last edited by writespeak; 06-13-2011 at 12:12 PM.

  11. #11
    Join Date
    Feb 2011
    Location
    Russia, Ulianovsk
    Posts
    27
    The last several days we have been studying this problem as well as discussing it with CS-Cart.
    CSRF vulnerability is really possible not only in CS-Cart but also in most other web-applications. As we have found out that there is no way to protect your application for 100% from this vulnerability except closing session before visiting dangerous resources (correct me if I'm wrong).
    Of course there is a way to stengthen a little protection, but does it make sense if the possibility of CSRF attack will remain anyway?
    That's why the only thing we can do here is to give the general recommendation to administrators (of any web sites, not only CS-Cart) to keep in secret the link to the administration panel as well as to close session (sign out the admin panel) before visiting external resources.

    << Signatures are to be set up via profiles only >>
    Last edited by writespeak; 06-13-2011 at 12:14 PM.

  12. #12
    Join Date
    Oct 2010
    Location
    Brazil
    Posts
    99
    I am interested in this thread, too.

    It's good to know about security issues from every cart system.

    My doubt is: if you don't know the ADMIN link (control panel) and the ADMIN logout every time he uses the panel, where is the problem? Is possible to be attacked?

  13. #13
    Join Date
    Feb 2011
    Location
    Russia, Ulianovsk
    Posts
    27
    Dear DragonDF,

    Quote Originally Posted by DragonDF View Post
    I am interested in this thread, too.

    It's good to know about security issues from every cart system.

    My doubt is: if you don't know the ADMIN link (control panel) and the ADMIN logout every time he uses the panel, where is the problem? Is possible to be attacked?
    The answer is - no.
    In this case it's impossible to be attacked. You have 100% guaranteed security.

    << Signatures are to be set up via profiles only >>
    Last edited by writespeak; 06-13-2011 at 12:14 PM.

  14. #14
    Join Date
    Oct 2010
    Location
    Brazil
    Posts
    99
    And where is the point of attack?

    In cookie session?


    Because, if I will need:
    1. Admin page link.
    2. Admin pass
    3. Admin not logout...

    You will need a big combination of things to make an attack (or be attacked).

  15. #15
    Join Date
    Feb 2011
    Location
    Russia, Ulianovsk
    Posts
    27
    Dear DragonDF,

    leftnode gave a good link above. Have a look at Cross-site_request_forgery
    It'll help you to understand the point of the attack.

    << Signatures are to be set up via profiles only >>
    Last edited by writespeak; 06-13-2011 at 12:14 PM.

  16. #16
    Join Date
    Oct 2010
    Location
    Brazil
    Posts
    99
    oK, Thank you!

Similar Threads

  1. Security Expert Needed to check for vulnerabilities
    By HD-Sam in forum Employment / Job Offers
    Replies: 5
    Last Post: 06-06-2010, 05:40 AM
  2. Security vulnerabilities found in HyperVM and LXadmin/Kloxo
    By AquariusStorage in forum Hosting Security and Technology
    Replies: 43
    Last Post: 06-09-2009, 07:13 AM
  3. CPanel security vulnerabilities
    By host4good in forum Hosting Security and Technology
    Replies: 7
    Last Post: 03-03-2005, 05:05 PM
  4. RHEL 3.0 kernel RPMs fix security vulnerabilities
    By bitserve in forum Hosting Security and Technology
    Replies: 5
    Last Post: 01-19-2005, 08:36 PM
  5. Php security vulnerabilities
    By nickvd in forum Programming Discussion
    Replies: 0
    Last Post: 12-17-2004, 07:30 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •