TornadoStore 1.4.3 SQL Injection

` Bonsai Information Security - Advisory  
http://www.bonsai-sec.com/research/  
  
Multiple SQL Injection in TornadoStore 1.4.3  
  
  
1. *Advisory Information*  
  
Title: Multiple SQL Injection in TornadoStore 1.4.3  
Advisory ID: BONSAI-2010-0106  
Advisory URL:  
http://www.bonsai-sec.com/research/vulnerabilities/tornadostore-multiple-sql-injection-0106.php  
Date published: 2010-06-29  
Vendors contacted: TornadoStore  
Release mode: Coordinated release  
  
  
2. *Vulnerability Information*  
  
Class: SQL Injection  
Remotely Exploitable: Yes  
Locally Exploitable: Yes  
CVE Name: CVE-2010-1327  
  
  
3. *Software Description*  
  
TornadoStore™ is an ecommerce platform. The objective is to solve integrally  
the commercialization of products and services of companies using an online   
payment system. [0].  
  
4. *Vulnerability Description*  
  
SQL injection is a code injection technique that exploits a security   
vulnerability occurring in the database layer of an application. The   
vulnerability is present when user input is either incorrectly filtered for   
string literal escape characters embedded in SQL statements or user input   
is not strongly typed and thereby unexpectedly executed.   
  
For additional information, please look at the references [1], [2] and [3].  
  
  
5. *Vulnerable packages*  
  
Version <= 1.4.3  
  
  
6. *Non-vulnerable packages*  
  
TornadoStore developers informed us that all users should upgrade to the latest   
version of TornadoStore, which fixes this vulnerability. More information to be   
found here:  
http://www.tornadostore.com/  
  
  
7. *Credits*  
  
This vulnerability was discovered by Lucas Apa ( lucas -at- bonsai-sec.com ).  
  
  
8. *Technical Description*  
  
8.1 A SQL injection vulnerability was found in the abm_list.php script, more   
specifically in the 'where' variable. The vulnerability can be triggered by  
logging into TornadoStore Control Panel and browsing to:  
  
http://www.example.com/control/abm_list.php3?db=ts_143&tabla=delivery_courier&tabla_det=delivery_costo&order=&ordor=&tit=&transporte=&ira=&pagina=1&det_order=nDeCSer&det_ordor=asc&txtBuscar=&vars=&where='  
  
8.2 A Blind SQL injection vulnerability was found in the precios.php script, more   
specifically in the 'marca' variable. The vulnerability can be triggered by  
browsing to:  
  
http://www.example.com/precios.php3?marca=12'  
  
  
9. *Report Timeline*  
  
- 2010-02-02:  
Vulnerabilities were identified.  
  
- 2010-02-08:  
Vendor confirmed these vulnerabilities.  
  
- 2010-02-16:  
Vendor contacted for an approximate fix release date. No specific answer given.  
  
- 2010-06-24:  
The vulnerability is still there.  
  
- 2010-06-29:  
The advisory BONSAI-2010-0106 is published.  
  
  
10. *References*  
  
[0] http://www.tornadostore.com  
[1] http://www.owasp.org/index.php/SQL_injection  
[2] http://www.owasp.org/index.php/Blind_SQL_Injection  
[3] http://en.wikipedia.org/wiki/SQL_injection  
  
11. *About Bonsai*  
  
Bonsai is a company involved in providing professional computer information security services.  
Currently a sound growth company, since its foundation in early 2009 in Buenos Aires, Argentina,   
we are fully committed to quality service, and focused on our customers' real needs.  
  
  
12. *Disclaimer*  
  
The contents of this advisory are copyright (c) 2010 Bonsai Information Security, and may be   
distributed freely provided that no fee is charged for this distribution and proper credit is   
given.  
  
`