xt:Commerce 3.x Second Order SQL Injection

Type packetstorm
Reporter Felix
Modified 2011-02-17T00:00:00


                                            ` xt:Commerce 3.X Second Order SQL Injection Vulnerability   
felix |at| malloc.im  
xt:Commerce 3 is an open source shopping software based on osCommerce.  
It is vulnerable to a second order SQL injection attack that can be used  
to reset the password of arbitary users and admins  
Risk: Critical  
xt:Commerce 3.X is vulnerable to a second order SQL injection  
in the password_double_opt.php file. The script uses the deprecated  
function (http://php.net/manual/en/function.eregi.php) to   
validate customer e-mail addresses:  
function xtc_validate_email($email) {  
$valid_address = true;  
$mail_pat = '^(.+)@(.+)$';  
$valid_chars = "[^] \(\)<>@,;:\.\\\"\[]";  
$atom = "$valid_chars+";  
$word = "($atom|$quoted_user)";  
$user_pat = "^$word(\.$word)*$";  
$domain_pat = "^$atom(\.$atom)*$";  
if (eregi($mail_pat, $email, $components)) {  
return $valid_address;  
eregi is vulnerable to nullbyte injections, the function considers  
an embedded nullbyte as the end of the string and won't parse  
characters after it.  
This means a string like "foo@example.com\00' SQL INJECTION" will  
pass the xtc_validate_email function.  
The account_edit.php file allows registered customers  
to change their email address and executes the following code:  
$email_address = xtc_db_prepare_input($_POST['email_address']);  
// xtc_db_prepare_input is a wrapper for stripslashes()  
if (strlen($email_address) < ENTRY_EMAIL_ADDRESS_MIN_LENGTH) {  
$error = true;  
$messageStack->add('account_edit', ENTRY_EMAIL_ADDRESS_ERROR);  
if (xtc_validate_email($email_address) == false) {  
$error = true;  
$messageStack->add('account_edit', ENTRY_EMAIL_ADDRESS_CHECK_ERROR);  
After that the variable $email_address is stored in the database  
using a prepared statement that is not vulnerable to a SQL injection.  
The final step of this attack abuses the password recovery  
function in the password_double_opt.php file:  
if (isset ($_GET['action']) && ($_GET['action'] == 'verified')){   
$check_customer_query = xtc_db_query("select customers_id,   
customers_email_address, password_request_key from ".TABLE_CUSTOMERS.  
"where customers_id = '".(int)$_GET['customers_id']."'   
and password_request_key = '".xtc_db_input($_GET['key'])."'");   
xtc_db_query("update ".TABLE_CUSTOMERS." set customers_password = '  
".$crypted_password."' where customers_email_address = '  
As you can see the stored email (customers_email_address) is extracted  
of the database and is used without escaping for the UPDATE query in  
last line.  
This enables an attacker to set the password of an arbitary user or  
admin to the generated random string, which will be send to the   
email address before the nullbyte.  
The following steps can reproduce the attack:  
1. Register as a customer with an valid mail address (foo@evil.com)  
2. Use the password recovery function to request a new password.   
You will get an verification email with a randomized url you  
need in step 4.  
3. Change your email address in the customer area  
to abuse the SQL Injection:  
foo@evil.com\0 or customers_id = 1  
4. Visit the url specified in the verification email.   
This will change the password of the administrator  
with id 1. This new password will arrive per mail.  
Change $check_customer['customers_email_address'] to  
and insert the following line at the beginning  
of the xtc_validate_email function:  
if (strpos($email,"\0")!==false) {return false;}  
This bug was reported in January 11 but no official  
patch is available.