[VIM] Zwahlen Online Shop

Steven M. Christey coley at linus.mitre.org
Wed Nov 8 17:44:00 EST 2006


On Fri, 3 Nov 2006, security curmudgeon wrote:

> Has anyone done analysis of this? Original disclosure:

Now we have, see analysis below from one of our senior analysts.  I don't
have specific code extracts.

> CVE-2006-5534 doesn't show provenance or include the usual disclaimer of
> the information coming from third party sources.

This was an accidental omission on our part.

- Steve


======================================================
Name: CVE-2006-5512
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5512
Acknowledged: no
Announced: 20061022
Flaw: XSS
Reference: BUGTRAQ:20061022 XSS in Zwahlen Online Shop
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/449467/100/0/threaded
Reference: MLIST:[VIM] 20061103 Zwahlen Online Shop
Reference: URL:http://attrition.org/pipermail/vim/2006-November/001106.html
Reference: BID:20682
Reference: URL:http://www.securityfocus.com/bid/20682
Reference: XF:zwahlen-article-xss(29753)
Reference: URL:http://xforce.iss.net/xforce/xfdb/29753

Cross-site scripting (XSS) vulnerability in article.htm in Zwahlen
Online Shop allows remote attackers to inject arbitrary web script or
HTML via the cat parameter.


Analysis:
ACCURACY: Unable to determine version. BUGTRAQ:20061022 says "there is
a XSS in Zwahlen's Online Shop. I can only test the free version, but
i think, other versions may be vulnerable, too." This statement
suggests this is a distributable product. Also, download sites can be
found through web searches for "Zwahlen Online Shop," with
zwahlen-informatik.ch apparently the primary site.

ACCURACY: CVE (Power) verified on 20061026 that the researcher's
exploit succeeds when using an essentially default installation of the
product.

ACCURACY: The download doesn't directly contain the article.htm and
index.htm files. To produce these files after installation, it's
apparently necessary to run FreeShop.exe, enter an e-mail address in
"Shop owner," and then select "Shop generate." Apparently, the files
are dynamically generated from a template that's built into the
FreeShop.exe executable. However, this initial setup process
apparently always produces a vulnerable article.htm file; no
customization is necessary for the vulnerability to exist.


======================================================
Name: CVE-2006-5534
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5534
Acknowledged: no
Announced: 20061024
Flaw: XSS
Reference: MLIST:[VIM] 20061103 Zwahlen Online Shop
Reference: URL:http://attrition.org/pipermail/vim/2006-November/001106.html
Reference: FRSIRT:ADV-2006-4160
Reference: URL:http://www.frsirt.com/english/advisories/2006/4160
Reference: SECUNIA:22571
Reference: URL:http://secunia.com/advisories/22571

Multiple cross-site scripting (XSS) vulnerabilities in index.htm in
Zwahlen Online Shop Freeware 5.2.2.50, and possibly earlier, allow
remote attackers to inject arbitrary web script or HTML via the (1)
cat, (2) Kat, (3) id, or (4) no parameters. NOTE: some of these
details are obtained from third party information.


Analysis:
ACCURACY: Source inspection by CVE (Power) on 20061026 confirmed that
these parameters are present, and reached a tentative conclusion that
the XSS may be persistent XSS for "Shop settings" data. However, this
was not verified.  In other words, some, but not all, details come
from FrSIRT and Secunia.

ACCURACY: The download doesn't directly contain the article.htm and
index.htm files. To produce these files after installation, it's
apparently necessary to run FreeShop.exe, enter an e-mail address in
"Shop owner," and then select "Shop generate." Apparently, the files
are dynamically generated from a template that's built into the
FreeShop.exe executable. The index.htm and article.htm files are
separate and have substantial differences.




More information about the VIM mailing list