$Id: bosen-adv.7,v1 25/06/2003 bosen Exp $ 1ndonesian Security Team (1st) Bosen Advisory #7 ProductCart SQL Injection 25/06/2003 ProductCart SQL Injection Vulnerability _______________________________________________________________________________ 1ndonesian Security Team (1st) http://bosen.net/releases/ ============================================================================================== Security Advisory Advisory Name: ProductCart SQL Injection Vulnerability Release Date: 06/20/2003 Application: ProductCart v1.5 ProductCart v1.5002 ProductCart v1.5003 ProductCart v1.5003r ProductCart v1.5004 ProductCart v1.6b ProductCart v1.6br ProductCart v1.6br001 ProductCart v1.6br003 ProductCart v1.6b001 ProductCart v1.6b002 ProductCart v1.6b003 ProductCart v1.6002 ProductCart v1.6003 ProductCart v2 ProductCart v2br000 Platform: Win32/MSSQL Severity: High BUG Type: SQL Injection Author: Bosen Discover by: Bosen Vendor Status: See below. Vendor URL: http://www.earlyimpact.com/ Reference: http://bosen.net/releases/ Overview: From the web "ProductCart® is an ASP shopping cart that combines sophisticated ecommerce features with time-saving store management tools and remarkable ease of use." From the author "Even the application is not Open Source, but we can 'debug' the application on the fly. And with SQL Injection we can query some information about the tables and database, even the data it self. With more work will couse ability to access into the admin control panel site." Details: The error msg of the application handled very good, but not that good. Couse still have XSS injection vulnerbility (read my previous advisories). Those error handler would make exploitation very difficult to do. But, not all script handled by those error handler script. For example Custva.asp, its still vulnerable to SQL Injection. But the worst is, on the admin control panel which is can be injected by old famous SQL injection 'or 1=1--'. Which makes you able to get access into admin control panel without needing any access. Exploits/POC: file Custva.asp http:///productcart/pc/Custvb.asp?redirectUrl=&Email=%27+having+1%3D1--&_email=email &password=asd&_password=required&Submit.x=33&Submit.y=5&Submit=Submit file login.asp http:///produccart/pdacmin/login.asp?idadmin='' or 1=1-- Vendor Response: Contacted. quick fix released. http://www.earlyimpact.com/productcart/support/security-alert-070403.asp Recommendation: a quick patch posted on http://www.zone-h.org/en/advisories/read/id=2611/ http://www.earlyimpact.com/productcart/support/security-alert-070403.asp 1ndonesian Security Team (1st) Advisory: http://bosen.net/releases/ About 1ndonesian Security Team: 1ndonesian Security Team, research and develop intelligent, advanced application security assessment. Based in Indonesia, 1ndonesian Security Team offers best of breed security consulting services, specialising in application, host and network security assessments. 1st provides security information and patches for use by the entire 1st community. This information is provided freely to all interested parties and may be redistributed provided that it is not altered in any way, 1st is appropriately credited and the document retains. Greetz to: AresU, TioEuy, sakitjiwa, muthafuka, alphacentury All 1ndonesian Security Team - #hackers@austnet.org/centrin.net.id Bosen ====================== Original document can be fount at http://bosen.net/releases/?id=40