XSS Attack on customer's site running nopCommerce 2.5

I have a customer whose site has just been hacked using what I suspect to be a XSS attack. The customer claims he uploaded a couple of product pictures through the product section of the admin. A few minutes later, he noticed that the image links in the category section of the site were broken. He inspected the URL and it pointed to another site of some company he had never heard of.

I checked the modification dates of the web site's files on the server and none of them were modified. My guess is that no code was inserted into any of nopCommerce's files. I have seen a similar intrusion before, but the attacker gained entry to an FTP account.

At a complete loss for how it could have happened, I restarted the site via the admin and noted that the image URLs were magically restored. Within a few hours, however, the broken images containing the URL to the other site returned. This time it appeared to only effect the two images my customer had uploaded. The attack isn't specific to a session, it happens across browsers and platforms.

My guess is that the site is being hacked through some kind of XSS scripting that is non-persistent. The code could be lying dormant in some database table, but given the numerous tables and records, it would be like trying to find a needle in a haystack.

Currently, I have a hunch that it is using some Cross-Site Request Forgery or CWE:

http://cwe.mitre.org/data/definitions/352.html

The following link describes a good example of how it can be done:

http://stackoverflow.com/questions/3260744/broken-images-in-xss-attacks

Although I haven't checked, I have a hunch that the session could have been hijacked by not having the HTTPONLY attribute set to true:

https://www.nopcommerce.com/boards/t/19949/sensitive-cookie-missing-httponly-attribute-pci-compliance.aspx

Apparently, this issue was fixed in version 2.7, but since my customer is running 2.5, it's likely that this fix hasn't been implemented.

Can anyone provide suggestions for how the site could be compromised?  Can setting HTTPONLY via the web.config solve this issue? How can such an intrusion take place without persisting any code whether through the file system or the database?

Any pointers in the right direction would be greatly appreciated.

Thanks.

Some hosting companies offer this DNS security option it prevents man in the middle type of attacks or modifying the dns records cache, will add additional layer of protection.

How is this related to DNS? Also, how can they get access to the DNS records.  Thanks.

i'm not a specialist in this area but you can look at "dns cache poisoning attack" and "dns harlem shake attack" basically they were able to inject code into txt field of the dns record if the dns server dont do sanitation on that field.

Hi ralphberger,

Did you find some solution at the end?
Ii happened the same to me. A couple of days the links were replaced for baidu.com or ly.com broken links
I put all the information in:

https://www.nopcommerce.com/boards/t/26045/fake-url-injection-in-homepage-nop-300-site.aspx?p=3#138169

I would appreciate very much if you had any findings to share them there.
Thanks!

Kind regards,
Antonio

There are a few threads about this issue going back to nop 2.5.
It happend to my website and I'm running 3.5 and occured with 3.4!

https://www.nopcommerce.com/boards/t/33803/nop-35-feature-images-changed.aspx

Is there a vunerability with nopCommerce?

I'm keen to find a solution. If the broken image links happen again, I'm going to SSL everywhere...