The ProductCart ASP shopping cart is vulnerable to a SQL injection attack which allows administrative access to the control panel.
4f9ef8763b86d76d3f50234d4399dd48e218739d71bee1deacdd0f9c58129c81$Id: bosen-adv.7,v1 25/06/2003 bosen Exp $
1ndonesian Security Team (1st)
Bosen Advisory #7 ProductCart SQL Injection
25/06/2003
ProductCart SQL Injection Vulnerability
_______________________________________________________________________________
1ndonesian Security Team (1st)
http://bosen.net/releases/
==============================================================================================
Security Advisory
Advisory Name: ProductCart SQL Injection Vulnerability
Release Date: 06/20/2003
Application:
ProductCart v1.5
ProductCart v1.5002
ProductCart v1.5003
ProductCart v1.5003r
ProductCart v1.5004
ProductCart v1.6b
ProductCart v1.6br
ProductCart v1.6br001
ProductCart v1.6br003
ProductCart v1.6b001
ProductCart v1.6b002
ProductCart v1.6b003
ProductCart v1.6002
ProductCart v1.6003
ProductCart v2
ProductCart v2br000
Platform: Win32/MSSQL
Severity: High
BUG Type: SQL Injection
Author: Bosen <mobile@bosen.net>
Discover by: Bosen <mobile@bosen.net>
Vendor Status: See below.
Vendor URL: http://www.earlyimpact.com/
Reference: http://bosen.net/releases/
Overview:
From the web
"ProductCart® is an ASP shopping cart that combines sophisticated ecommerce
features with time-saving store management tools and remarkable ease of use."
From the author
"Even the application is not Open Source, but we can 'debug' the application
on the fly. And with SQL Injection we can query some information about the tables
and database, even the data it self. With more work will couse ability to access into
the admin control panel site."
Details:
The error msg of the application handled very good, but not that good. Couse still have
XSS injection vulnerbility (read my previous advisories). Those error handler would make
exploitation very difficult to do.
But, not all script handled by those error handler script.
For example Custva.asp, its still vulnerable to SQL Injection.
But the worst is, on the admin control panel which is can be injected by old famous
SQL injection 'or 1=1--'. Which makes you able to get access into admin control panel
without needing any access.
Exploits/POC:
file Custva.asp
http://<target>/productcart/pc/Custvb.asp?redirectUrl=&Email=%27+having+1%3D1--&_email=email
&password=asd&_password=required&Submit.x=33&Submit.y=5&Submit=Submit
file login.asp
http://<target>/produccart/pdacmin/login.asp?idadmin='' or 1=1--
Vendor Response:
Contacted.
quick fix released.
http://www.earlyimpact.com/productcart/support/security-alert-070403.asp
Recommendation:
a quick patch posted on
http://www.zone-h.org/en/advisories/read/id=2611/
http://www.earlyimpact.com/productcart/support/security-alert-070403.asp
1ndonesian Security Team (1st) Advisory:
http://bosen.net/releases/
About 1ndonesian Security Team:
1ndonesian Security Team, research and develop intelligent, advanced application
security assessment. Based in Indonesia, 1ndonesian Security Team offers best of
breed security consulting services, specialising in application, host and network
security assessments.
1st provides security information and patches for use by the entire 1st community.
This information is provided freely to all interested parties and may be
redistributed provided that it is not altered in any way, 1st is appropriately
credited and the document retains.
Greetz to:
AresU, TioEuy, sakitjiwa, muthafuka, alphacentury
All 1ndonesian Security Team - #hackers@austnet.org/centrin.net.id
Bosen <mobile@bosen.net>
======================
Original document can be fount at http://bosen.net/releases/?id=40
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed