AlegroCart 1.2.6 - SQL Injection Vulnerability

Document Title:
===============
AlegroCart 1.2.6 - SQL Injection Vulnerability



Release Date:
=============
2011-07-19


Vulnerability Laboratory ID (VL-ID):
====================================
3


Product & Service Introduction:
===============================
AlegroCart v1.2.1 is a shop cms what is based on the OpenCart shop engine.

* MVC Framework
* Modular Design
* Supports Custom Addon Modules
* Multi-lingual Capability
* Worldwide Country Support
* Countries and States can be enabled or disabled
* Geo Zones for Tax & Shipping
* Multiple Tax & Weight Classes
* One-Click Currency Updater for all currencies enabled
* Automatic Currency update when alternate currency selected.
* Template system allows HTML and PHP code.
* Multiple Templates Supported.
* Separate selectable Styles
* NEW Selectable Color Styles
* Modular Design Temples allow reuse of tpl modules
* Maintenance Mode
* SSL Support
* Stock Level Control
* Ajax Add-to-Cart with Image Animation to Cart
* Product Pricing with Options Updated in real time..
* Dynamic Category Menu, CSS and Ajax Driven.
* Product Downloads
* HomePage Module: display flash or image files and optional text files.
* Contains default meta tag information.
* Serialized input forms to enhance security. 


Abstract Advisory Information:
==============================
Vulnerability-Lab Team discovers a SQL Injection Vulnerability on AlegroCart what is based on OpenCart.


Vulnerability Disclosure Timeline:
==================================
0000-00-00: Verified by Vulnerability-Lab
0000-00-00: Secure Vendor Notification
0000-00-00: Vendor Reply/Feedback
0000-00-00: Fix/Patch Vulnerability
0000-00-00: Discovery by Vulnerability-Lab


Discovery Status:
=================
Published


Affected Product(s):
====================

Exploitation Technique:
=======================
Remote


Severity Level:
===============
High


Technical Details & Description:
================================
A SQL Injection vulnerability is detected on AlegroCart v1.2.1 on the page listing. An attacker can inject own sql statements over a not 
secure parsed request. The PageListing allows to compromise the application dbms via a simple sql injection attack.


			[+] Page Listing


Proof of Concept (PoC):
=======================
This vulnerability can be exploited by remote attackers ...

File:		any-article.html
Path:		/page/-1%27
Example:	http://[SERVER]/[PATH]/[ANYFILE].html/page/-[SQL-Statement]
References:	http://www.xxx.com/demo/hitachi.html/page/-[SQL-Injection]

--- Error SQL Log ---
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-8, 4' at line 1
Error No: 1064 select * from product p left join product_description pd on (p.product_id = pd.product_id) left join image i on (p.image_id = i.image_id) 
where pd.language_id = '1' and p.manufacturer_id = '8' and p.date_available < now() and p.status = '1' order by pd.name asc limit -8, 4



Solution - Fix & Patch:
=======================
Use a bound parameter via prepared statement to fix the security issue on ths shopping cart application.


Security Risk:
==============
The security risk  of the vulnerability is estimated as high because of pre-auth remote attack technic.


Credits & Authors:
==================
Vulnerability Research Laboratory


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.vulnerability-lab.com/register
Contact:    [email protected] 	- [email protected] 	       - [email protected]
Section:    video.vulnerability-lab.com 	- forum.vulnerability-lab.com 		       - news.vulnerability-lab.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact ([email protected] or [email protected]) to get a permission.

    				   	Copyright © 2012 | Vulnerability Laboratory