home *** CD-ROM | disk | FTP | other *** search
- $Id: bosen-adv.7,v1 25/06/2003 bosen Exp $
-
- 1ndonesian Security Team (1st)
- Bosen Advisory #7 ProductCart SQL Injection
- 25/06/2003
-
-
-
-
- ProductCart SQL Injection Vulnerability
- _______________________________________________________________________________
-
-
- 1ndonesian Security Team (1st)
- http://bosen.net/releases/
- ==============================================================================================
- Security Advisory
-
-
-
- Advisory Name: ProductCart SQL Injection Vulnerability
- Release Date: 06/20/2003
- Application:
- ProductCart v1.5
- ProductCart v1.5002
- ProductCart v1.5003
- ProductCart v1.5003r
- ProductCart v1.5004
- ProductCart v1.6b
- ProductCart v1.6br
- ProductCart v1.6br001
- ProductCart v1.6br003
- ProductCart v1.6b001
- ProductCart v1.6b002
- ProductCart v1.6b003
- ProductCart v1.6002
- ProductCart v1.6003
- ProductCart v2
- ProductCart v2br000
- Platform: Win32/MSSQL
- Severity: High
- BUG Type: SQL Injection
- Author: Bosen <mobile@bosen.net>
- Discover by: Bosen <mobile@bosen.net>
- Vendor Status: See below.
- Vendor URL: http://www.earlyimpact.com/
- Reference: http://bosen.net/releases/
-
-
-
- Overview:
- From the web
- "ProductCart« is an ASP shopping cart that combines sophisticated ecommerce
- features with time-saving store management tools and remarkable ease of use."
- From the author
- "Even the application is not Open Source, but we can 'debug' the application
- on the fly. And with SQL Injection we can query some information about the tables
- and database, even the data it self. With more work will couse ability to access into
- the admin control panel site."
-
-
-
- Details:
- The error msg of the application handled very good, but not that good. Couse still have
- XSS injection vulnerbility (read my previous advisories). Those error handler would make
- exploitation very difficult to do.
- But, not all script handled by those error handler script.
- For example Custva.asp, its still vulnerable to SQL Injection.
-
- But the worst is, on the admin control panel which is can be injected by old famous
- SQL injection 'or 1=1--'. Which makes you able to get access into admin control panel
- without needing any access.
-
-
- Exploits/POC:
- file Custva.asp
- http://<target>/productcart/pc/Custvb.asp?redirectUrl=&Email=%27+having+1%3D1--&_email=email
- &password=asd&_password=required&Submit.x=33&Submit.y=5&Submit=Submit
-
- file login.asp
- http://<target>/produccart/pdacmin/login.asp?idadmin='' or 1=1--
-
-
-
- Vendor Response:
- Contacted.
- quick fix released.
- http://www.earlyimpact.com/productcart/support/security-alert-070403.asp
-
-
- Recommendation:
- a quick patch posted on
- http://www.zone-h.org/en/advisories/read/id=2611/
- http://www.earlyimpact.com/productcart/support/security-alert-070403.asp
-
-
-
- 1ndonesian Security Team (1st) Advisory:
- http://bosen.net/releases/
-
-
-
- About 1ndonesian Security Team:
- 1ndonesian Security Team, research and develop intelligent, advanced application
- security assessment. Based in Indonesia, 1ndonesian Security Team offers best of
- breed security consulting services, specialising in application, host and network
- security assessments.
-
- 1st provides security information and patches for use by the entire 1st community.
-
- This information is provided freely to all interested parties and may be
- redistributed provided that it is not altered in any way, 1st is appropriately
- credited and the document retains.
-
-
- Greetz to:
- AresU, TioEuy, sakitjiwa, muthafuka, alphacentury
- All 1ndonesian Security Team - #hackers@austnet.org/centrin.net.id
-
-
-
-
-
-
-
- Bosen <mobile@bosen.net>
- ======================
- Original document can be fount at http://bosen.net/releases/?id=40
-
