Results 1 to 16 of 16
-
02-10-2011, 10:43 PM #1Newbie
- Join Date
- Jan 2011
- Posts
- 7
Security vulnerabilities in CS-Cart
About a year ago I was evaluating some shopping cart software and came across CS-Cart. It looked nice, but I wanted to ensure it followed basic security recommendations.
I found it does not, for example CSRF attacks are still possible through it. I alerted the developers, gave them a month to respond, they didn't, so I made my findings public.
I was asked today if they are still valid and unfortunately they are.
I can't post on their forums because I'm not a paying customer.
If anyone uses CS-Cart or knows the developers, will you please find a way to pass on this information to them?
-
02-18-2011, 05:02 AM #2Newbie
- Join Date
- Feb 2011
- Location
- Russia, Ulianovsk
- Posts
- 27
Dear leftnode,
We've heard about this problem some time ago, but that was about earlier CS-Cart versions,now it is solved, as far as we know.
We are able to write on CS-cart forums and we'll be glad to alert developers about it and pass all the information.
Could you please PM us with a detailed description of the problem with example?
<< signatures are to be set up via profiles only >>Last edited by writespeak; 06-13-2011 at 12:09 PM.
-
02-18-2011, 05:14 AM #3Newbie
- Join Date
- Jan 2011
- Posts
- 7
Unfortunately it hasn't been fixed.
Here's what I wrote a year ago about it: << removed link to own site >>
The vulnerabilities are still largely there.Last edited by writespeak; 06-13-2011 at 12:10 PM.
-
02-18-2011, 06:13 AM #4Newbie
- Join Date
- Feb 2011
- Location
- Russia, Ulianovsk
- Posts
- 27
Dear leftnode,
All vulnerabilities you've described are possible provided that the attacking side has the admin's rights. The point is the webstore software just can't garantee the safety of the password and login, it depends on an administrator himself. If an admin is caught by any fishing site or any other malicious-site.com trick, it's not store's fault, but admin's one.
Anyway, in the latest CS-Cart versions (2.1.3 has been released these days) it's possible to switch on the safety protection from CSRF in the configs.
As to other vunerabilities, since you wrote an article a year ago, many of them has been already fixed.
<< signatures are to be set up via profiles only >>Last edited by writespeak; 06-13-2011 at 12:10 PM.
-
02-18-2011, 06:20 AM #5Newbie
- Join Date
- Jan 2011
- Posts
- 7
Sorry, that's a ridiculous excuse.
While the Admin should be aware of phishing attacks, the vulnerability should be patched.
Here's an example category I just created using the CSRF attack. Notice it also has an alert for JavaScript? So not only can I create a new category through a remote attack, I can inject malicious cross-site scripting code in it to attack anyone visiting the category.
http://demo.cs-cart.com/professional/csrf-category.html
Also, I don't see where it's an option to switch on protection in the Admin panel from their demo store. Point is, it shouldn't be an option to turn on or off.
Additionally, I'm not sure why they have an issue admitting there's a security vulnerability. It happens to everyone, from Facebook to Google to Twitter. They've all had them at some point or another and are quickly patched. Fixing this is not difficult at all. Magento had the same error 2 years ago and they admitted to it and patched it. Why can't CS-Cart do the same?
-
02-18-2011, 09:17 AM #6
-
02-19-2011, 02:38 AM #7Newbie
- Join Date
- Feb 2011
- Location
- Russia, Ulianovsk
- Posts
- 27
Dear bear,
The demo version is renewed every hour. Everything you've done in demo is deleted in an hour.
Dear leftnode,
Unfortunately, I couldn't see an example, sorry for coming too late.
<< signatures are to be set up via profiles only >>Last edited by writespeak; 06-13-2011 at 12:11 PM.
-
02-19-2011, 08:34 AM #8Newbie
- Join Date
- Feb 2011
- Location
- Russia, Ulianovsk
- Posts
- 27
Dear leftnode,
we have put the blank web store on << link to own site removed >>
If you are able to break into it, we'll get in touch with CS-Cart immediately and inform them about the vulnerability in the software.
As to the case when an attacker gets rights to the admin panel, it's not important how exactly all datas will be deleted, cause in this case it'll be possible to delete whatever he likes without any additional knowledges.
<< Signatures are to be set up via profiles only >>Last edited by writespeak; 06-13-2011 at 12:11 PM.
-
02-19-2011, 08:43 AM #9Newbie
- Join Date
- Jan 2011
- Posts
- 7
You're not understanding what's going on. Here, read what a CSRF attack is: http://en.wikipedia.org/wiki/Cross-site_request_forgery
In other words, the admin logs into the website and while has the session open, clicks on a malicious link which executes the exploit. Because I'm not an admin, the website wouldn't trust me. I'd have to send you an email mimicking an email from the website that you then click on to execute the attack.
I've more than proved the attack still exists. I've alerted the CS-Cart team several times, you're now aware of it. Continue using your insecure software.
-
02-19-2011, 11:42 AM #10Newbie
- Join Date
- Feb 2011
- Location
- Russia, Ulianovsk
- Posts
- 27
Dear leftnode,
Thank you for the clarification. We are discussing with CS-Cart now regarded this question. We will keep this post informed.
<< Signatures are to be set up via profiles only >>Last edited by writespeak; 06-13-2011 at 12:12 PM.
-
02-22-2011, 11:03 AM #11Newbie
- Join Date
- Feb 2011
- Location
- Russia, Ulianovsk
- Posts
- 27
The last several days we have been studying this problem as well as discussing it with CS-Cart.
CSRF vulnerability is really possible not only in CS-Cart but also in most other web-applications. As we have found out that there is no way to protect your application for 100% from this vulnerability except closing session before visiting dangerous resources (correct me if I'm wrong).
Of course there is a way to stengthen a little protection, but does it make sense if the possibility of CSRF attack will remain anyway?
That's why the only thing we can do here is to give the general recommendation to administrators (of any web sites, not only CS-Cart) to keep in secret the link to the administration panel as well as to close session (sign out the admin panel) before visiting external resources.
<< Signatures are to be set up via profiles only >>Last edited by writespeak; 06-13-2011 at 12:14 PM.
-
02-23-2011, 11:43 PM #12Junior Guru Wannabe
- Join Date
- Oct 2010
- Location
- Brazil
- Posts
- 99
I am interested in this thread, too.
It's good to know about security issues from every cart system.
My doubt is: if you don't know the ADMIN link (control panel) and the ADMIN logout every time he uses the panel, where is the problem? Is possible to be attacked?
-
02-24-2011, 05:57 AM #13Newbie
- Join Date
- Feb 2011
- Location
- Russia, Ulianovsk
- Posts
- 27
-
02-24-2011, 07:03 PM #14Junior Guru Wannabe
- Join Date
- Oct 2010
- Location
- Brazil
- Posts
- 99
And where is the point of attack?
In cookie session?
Because, if I will need:
1. Admin page link.
2. Admin pass
3. Admin not logout...
You will need a big combination of things to make an attack (or be attacked).
-
02-25-2011, 04:39 AM #15Newbie
- Join Date
- Feb 2011
- Location
- Russia, Ulianovsk
- Posts
- 27
Dear DragonDF,
leftnode gave a good link above. Have a look at Cross-site_request_forgery
It'll help you to understand the point of the attack.
<< Signatures are to be set up via profiles only >>Last edited by writespeak; 06-13-2011 at 12:14 PM.
-
02-25-2011, 01:53 PM #16Junior Guru Wannabe
- Join Date
- Oct 2010
- Location
- Brazil
- Posts
- 99
oK, Thank you!
Similar Threads
-
Security Expert Needed to check for vulnerabilities
By HD-Sam in forum Employment / Job OffersReplies: 5Last Post: 06-06-2010, 05:40 AM -
Security vulnerabilities found in HyperVM and LXadmin/Kloxo
By AquariusStorage in forum Hosting Security and TechnologyReplies: 43Last Post: 06-09-2009, 07:13 AM -
CPanel security vulnerabilities
By host4good in forum Hosting Security and TechnologyReplies: 7Last Post: 03-03-2005, 05:05 PM -
RHEL 3.0 kernel RPMs fix security vulnerabilities
By bitserve in forum Hosting Security and TechnologyReplies: 5Last Post: 01-19-2005, 08:36 PM -
Php security vulnerabilities
By nickvd in forum Programming DiscussionReplies: 0Last Post: 12-17-2004, 07:30 PM