eStore SQL Injection Vulnerability & Path Disclosure

2003-07-18T00:00:00
ID SECURITYVULNS:DOC:4868
Type securityvulns
Reporter Securityvulns
Modified 2003-07-18T00:00:00

Description

1ndonesian Security Team (1st) http://bosen.net/releases/ ============================================================== Security Advisory

Advisory Name: eStore SQL Injection Vulnerability & Path Disclosure Release Date: 07/15/2003 Application: eStore 1.0.1 eStore 1.0.2 eStore 1.0.2b Platform: PHP Severity: High BUG Type: SQL Injection Author: Bosen <mobile@bosen.net> Discover by: Bosen <mobile@bosen.net> Vendor Status: See below. Vendor URL: http://www.brooky.com/ Reference: http://bosen.net/releases/

Overview: "eStore is a FREE* e-commerce store programmed using PHP and MySQL!" What features does eStore have? Im not their sales so check out their webpage at http://www.brooky.com/

Details: SQL Injection On /admin/login.asp [...] if ($user && $pass) { // If the user has just tried to log in $passwd = md5($pass); $query = "select * from ".$prefix."store_config where user='$user' and pass=('$passwd')"; $result = mysql_query($query); if (mysql_num_rows($result) >0 ) { // if they are in the database register the user for the session $admin = $user; session_register("admin"); } } // Redirect user to request page on successful authentication if (session_is_registered("admin")) { echo "<Script language=\"javascript\">window.location=\"index.php\"</script>"; } // If not display error messages [...]

Path Disclosure Browse http://[target]/admin/settings.inc.php

Exploits/POC: http://[target]/admin/login.asp?pass=1st&user<your 0day sql injection code>

Vendor Response: Contacted. Patch/security fix released.

Recommendation: Enable magic_quotes_gpc in php.ini Use addslashes()

Patch: in login.php ----- CODE MODIFIED ----- if ($_POST['user'] && $_POST['pass']) { $user = addslashes($user); $pass = addslashes($pass); ---------------- END--------------- in edit_settings.inc.php

----- CODE MODIFIED AT START OF CODE ----- $sql_select = mysql_query( "select * from ".$prefix."store_config"); // fix for path disclosure if(!$sql_select){ $home_url = $_SERVER['HTTP_HOST']; echo"<h1>MySQL Connection failed</h1> <p>Why?</p> <p>1. Because you are visiting settings.inc.php directly in your browser. Please return to the home URL http://$home_url.</p> <p>2. Because your database settings could be incorrect or there is a problem with the MySQL engine.</p> <p>If you continually see this message contact your hosting company or visit <a href=\"http://cubecart.com\" target=\"_blank\"></a>http://cubecart.com</a></p>"; exit; }

1ndonesian Security Team (1st) Advisory: http://bosen.net/releases/

About 1ndonesian Security Team: 1ndonesian Security Team, research and develop intelligent, advanced application security assessment. Based in Indonesia, 1ndonesian Security Team offers best of breed security consulting services, specialising in application, host and network security assessments.

1st provides security information and patches for use by the entire 1st community.

This information is provided freely to all interested parties and may be redistributed provided that it is not altered in any way, 1st is appropriately credited and the document retains.

Bosen <mobile@bosen.net>

Original document can be fount at http://bosen.net/releases/?id=45