exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

xt:Commerce 3.x Second Order SQL Injection

xt:Commerce 3.x Second Order SQL Injection
Posted Feb 17, 2011
Authored by Felix

xt:Commerce 3 suffers from a second order SQL injection vulnerability that can be leveraged to reset passwords of arbitrary users and administrators.

tags | exploit, arbitrary, sql injection
SHA-256 | 9e3a37b7a87b6f0a5036cf569879b12c6788f73c69e4a9ca19a78276984e9a6f

xt:Commerce 3.x Second Order SQL Injection

Change Mirror Download
            xt:Commerce 3.X Second Order SQL Injection Vulnerability 
(xtc_validate_email)
felix |at| malloc.im
===============================================================================

Overview:

xt:Commerce 3 is an open source shopping software based on osCommerce.
It is vulnerable to a second order SQL injection attack that can be used
to reset the password of arbitary users and admins

Risk: Critical

Details:

xt:Commerce 3.X is vulnerable to a second order SQL injection
in the password_double_opt.php file. The script uses the deprecated
eregi
function (http://php.net/manual/en/function.eregi.php) to
validate customer e-mail addresses:

function xtc_validate_email($email) {
$valid_address = true;

$mail_pat = '^(.+)@(.+)$';
$valid_chars = "[^] \(\)<>@,;:\.\\\"\[]";
$atom = "$valid_chars+";
$quoted_user='(\"[^\"]*\")';
$word = "($atom|$quoted_user)";
$user_pat = "^$word(\.$word)*$";
$ip_domain_pat='^
\[([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\]$';
$domain_pat = "^$atom(\.$atom)*$";

if (eregi($mail_pat, $email, $components)) {

.....
.....
return $valid_address;
}



eregi is vulnerable to nullbyte injections, the function considers
an embedded nullbyte as the end of the string and won't parse
characters after it.

This means a string like "foo@example.com\00' SQL INJECTION" will
pass the xtc_validate_email function.

The account_edit.php file allows registered customers
to change their email address and executes the following code:

....

$email_address = xtc_db_prepare_input($_POST['email_address']);
// xtc_db_prepare_input is a wrapper for stripslashes()
...
if (strlen($email_address) < ENTRY_EMAIL_ADDRESS_MIN_LENGTH) {
$error = true;
$messageStack->add('account_edit', ENTRY_EMAIL_ADDRESS_ERROR);
}
if (xtc_validate_email($email_address) == false) {
$error = true;
$messageStack->add('account_edit', ENTRY_EMAIL_ADDRESS_CHECK_ERROR);
}

After that the variable $email_address is stored in the database
using a prepared statement that is not vulnerable to a SQL injection.

The final step of this attack abuses the password recovery
function in the password_double_opt.php file:

....
if (isset ($_GET['action']) && ($_GET['action'] == 'verified')){
$check_customer_query = xtc_db_query("select customers_id,
customers_email_address, password_request_key from ".TABLE_CUSTOMERS.
"where customers_id = '".(int)$_GET['customers_id']."'
and password_request_key = '".xtc_db_input($_GET['key'])."'");
$check_customer=xtc_db_fetch_arr($check_customer_query);
....
$newpass=xtc_create_random_value(ENTRY_PASSWORD_MIN_LENGTH);
$crypted_password=xtc_encrypt_password($newpass);
.....
xtc_db_query("update ".TABLE_CUSTOMERS." set customers_password = '
".$crypted_password."' where customers_email_address = '
".$check_customer['customers_email_address']."'");

As you can see the stored email (customers_email_address) is extracted
out
of the database and is used without escaping for the UPDATE query in
the
last line.
This enables an attacker to set the password of an arbitary user or
admin to the generated random string, which will be send to the
email address before the nullbyte.

Exploit:

The following steps can reproduce the attack:

1. Register as a customer with an valid mail address (foo@evil.com)
2. Use the password recovery function to request a new password.
You will get an verification email with a randomized url you
need in step 4.
3. Change your email address in the customer area
to abuse the SQL Injection:
foo@evil.com\0 or customers_id = 1
4. Visit the url specified in the verification email.
This will change the password of the administrator
with id 1. This new password will arrive per mail.

Fix:

Change $check_customer['customers_email_address'] to
xtc_db_input($check_customer['customers_email_address']
and insert the following line at the beginning
of the xtc_validate_email function:

if (strpos($email,"\0")!==false) {return false;}

This bug was reported in January 11 but no official
patch is available.


Login or Register to add favorites

File Archive:

February 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    11 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    5 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    0 Files
  • 6
    Feb 6th
    0 Files
  • 7
    Feb 7th
    0 Files
  • 8
    Feb 8th
    0 Files
  • 9
    Feb 9th
    0 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    0 Files
  • 13
    Feb 13th
    0 Files
  • 14
    Feb 14th
    0 Files
  • 15
    Feb 15th
    0 Files
  • 16
    Feb 16th
    0 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close