S-Quadra Advisory #2004-01-23 Topic: QuadComm Q-Shop ASP Shopping Cart Software multiple security vulnerabilities Severity: High Vendor URL: http://www.quadcomm.com Advisory URL: http://www.s-quadra.com/advisories/Adv-20040123.txt Release date: 23 Jan 2004 1. DESCRIPTION Q-Shop is a shopping cart application for e-commerce enabled sites. It's written on ASP, works on most Windows platforms and uses MS Access or MS SQL Server as a backend. Please visit http://www.quadcomm.com for information about Q-Shop shopping cart. 2. DETAILS -- Vulnerability 1: SQL Injection vulnerabilities An SQL Injection vulnerabilities have been found in the following scripts: search.asp, browse.asp, details.asp, showcat.asp, users.asp, addtomylist.asp, modline.asp, cart.asp, newuser.asp User supplied input is not filtered before being used in a SQL query. Consequently, query modification using malformed input is possible. Successfull exploitation of this vulnerability could allow an attacker in the worst case to execute arbitrary commands on a target's system (via MS SQL xp_cmdshell function). -- Vulnerability 2: Cross Site Scripting vulnerabilities Cross Site Scripting vulnerabilities have been found in the following scripts: imagezoom.asp, recommend.asp By injecting a specially crafted javascript code in url and tricking a user to visit it a remote attacker can steal user session id and gain access to user's personal data. 3. FIX INFORMATION S-Quadra alerted QuadComm development team to these issues on 16 Jan 2004. No response has been received. No fix available at the time of writing. 4. CREDITS Nick Gudov is responsible for discovering this issue. 5. ABOUT S-Quadra offers services in computer security, penetration testing and network assesment, web application security, source code review and third party product vulnerability assesment, forensic support and reverse engineering. Security is an art and our goal is to bring responsible and high quality security service to the IT market, customized to meet the unique needs of each individual client. S-Quadra, (pronounced es quadra), is not an acronym. It's unique, creative and innovative - just like the security services we bring to our clients. S-Quadra Vendor Report #2004-01-23