SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Commerce)  >   phpShop Project Vendors:   phpshop.org
phpShop Multiple Input Validation Flaws Permit SQL Injection, Cross-Site Scripting, and Disclosure of Customer Data
SecurityTracker Alert ID:  1008746
SecurityTracker URL:  http://securitytracker.com/id/1008746
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 16 2004
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network

Version(s): 0.6.1-b and possibly prior versions
Description:   Several vulnerabilities were reported in phpShop. A remote user can inject SQL commands. A remote authenticated user can obtain customer data from the database. A remote user can also conduct cross-site scripting attacks.

JeiAr of the GulfTech Security Research Team reported that the software does not properly validate some user-supplied variables. A remote user can inject SQL commands to be executed on the underlying database via the 'page' or 'product_id' variables. Some demonstration exploit URLs are provided:

/?page=[Evil_Query]
/?page=shop/cart&func=cartAdd&product_id=[Evil_Query]
/?page=shop/browse&category_id=&offset=[Evil_Query]

It is also reported that a remote authenticated user can query the 'account/shipto' to gain information about arbitrary customers or the administrator account. Information that is available reportedly includes the Address Nickname, Company Name, Last Name, First Name, Middle Name, Address, City, State, Zip Code, Country, Telephone, and Fax Number. A demonstration exploit URL is provided:

/?page=account/shipto&user_info_id=[Valid User ID]

It is also reported that a remote user can conduct cross-site scripting attacks against users or administrators. The software reportedly does not filter HTML code from user-supplied input in the shipping information. A remote user can submit an order with specially crafted shipping information. Then, when a target administrator views the order, arbitrary scripting code will be executed by the target administrator's browser. The code will originate from the site running the vulnerable software and will run in the security context of that site. As a result, the code will be able to access the target administrator's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target administrator via web form to the site, or take actions on the site acting as the target administrator.

A variety of other cross-site scripting flaws are reported, as the software reportedly echoes many user-supplied variables without validation. One demonstration exploit URL is provided:

/?page=admin/index&GulfTech="><script>alert(document.cookie)</script>

Many other examples are provided in the Source Message.

The vendor was reportedly notified in early December 2003.

Impact:   A remote user can inject SQL commands to be executed on the underlying database.

A remote user can view potentially sensitive customer data.

A remote user can access the target administrator's cookies (including authentication cookies), if any, associated with the site running the vulnerable software, access data recently submitted by the target administrator via web form to the site, or take actions on the site acting as the target administrator.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.phpshop.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  phpShop Vulnerabilities




Vendor  : phpShop Project
URL     : http://www.phpshop.org
Version : phpShop 0.6.1-b && Earlier Versions(??)
Risk    : Multiple Vulnerabilities



Description:
phpShop is a PHP-based e-commerce application and PHP development framework. 
phpShop offers the basic features needed to run a successful e-commerce web 
site and to extend its capabilities for multiple purposes. phpShop uses a 
nice development framework that allows web developers to easily extend its 
functionality through the use of modules. Its web-box architecture makes it 
easy to understand and work with, while providing powerful function management 
capabilities for your web application needs. It is one of the most popular
php SQL driven e-commerce solutions available today.



SQL Injection Vulnerability:
phpShop is prone to SQL injection when updating a session. The issues can
be exploited via injection of SQL Commands issued to the "page" variable. 
The same issue is also present when adding an item to the shopping cart via 
the "product_id" variable. While not as serious, the offset variable is also
prone to SQL Injection. The offset injection is not likely to be exploited.

Below are examples of the vulnerabilities mentioned above.

/?page=[Evil_Query]
/?page=shop/cart&func=cartAdd&product_id=[Evil_Query]
/?page=shop/browse&category_id=&offset=[Evil_Query]

It should also be noted that even if an attacker cannot successfully execute a
malicious query, they can inject code thus allowing for Cross Site Scripting.



User Information Disclosure Vulnerability:
It is possible for a user to gain a great deal of information about any customer
by querying the "account/shipto" module. All that is required is to be logged in
under a valid account. One can then also view the administrators information. As
we can see from the below code, there is no check to see if the person querying
the information belongs to the account he/she queries.

<?php
  if ($user_info_id) {
    $q =  "SELECT * from user_info WHERE user_info_id='$user_info_id'";
    $db->query($q);
    $db->next_record();
  }
?>

Example: /?page=account/shipto&user_info_id=[Valid User ID] 

The User ID's usually start around number 18 - 20 So it is easy to guess.An 
attacker can then view the info of any customer. The information includes

Address Nickname, Company Name, Last Name, First Name, Middle Name, Address,
City, State, Zip Code, Country, Telephone, Fax Number

This is obviously not good and can be useful in aiding an attacker in other
attacks, such as social engineering, and password enumeration. Not to mention
it greatly violates the privacy of the customer.



Script Injection Vulnerability:
An attacker can input malicious script or HTML into his shipping information.
This will then be executed by an administrator or shop owner when viewing the
attackers order. It may be used by an attacker to have an administrator carry
out commands or execute administrative functions unknowingly.



Cross Site Scripting:
Cross Site Scripting in phpShop is just insane. It takes place on almost any and
every page. This is not an exaggeration either unfortunately. This takes place
because a large number, if not majority of the variables a user passes to the script
via the GET method are printed directly to screen using php echo with NO type of
sanitizing at all. Furthermore, any page you try and visit that you do not have
access to will allow XSS because ANY variable you pass to the get method will be
stored in the login form as a hidden field. 

/?page=admin/index&GulfTech=">&lt;script&gt;alert(document.cookie)&lt;/script&gt;

Will allow for Cross Site Scripting, strangely enough. Like I said before, XSS is
possible on just about every page of phpShop, so I am not going to spend hours 
making a list of hundreds of instances of the XSS vulns, but a handful of examples 
are provided below.

/?page=shop/browse&category_id=">&lt;script&gt;alert(document.cookie)&lt;/script&gt;
/?func=">&lt;script&gt;alert(document.cookie)&lt;/script&gt;
/?login=">&lt;script&gt;alert(document.cookie)&lt;/script&gt;
/?page=account/shipto&user_info_id=">&lt;script&gt;alert(document.cookie)&lt;/script&gt;
/?page=shopper/index&module_description=">&lt;script&gt;alert(document.cookie)&lt;/script&gt;
/?page=shopper/menu&menu_label=">&lt;script&gt;alert(document.cookie)&lt;/script&gt;
/?page=shopper/menu&shopper_list_mn=">&lt;script&gt;alert(document.cookie)&lt;/script&gt;
/?page=shopper/menu&modulename=">&lt;script&gt;alert(document.cookie)&lt;/script&gt;
/?page=shopper/menu&shopper_group_list_mnu=">&lt;script&gt;alert(document.cookie)&lt;/script&gt;
/?page=shopper/menu&shopper_group_form_mnu=">&lt;script&gt;alert(document.cookie)&lt;/script&gt;
/?page=vendor/index&module_description=">&lt;script&gt;alert(document.cookie)&lt;/script&gt;
/?page=vendor/index&menu_label=">&lt;script&gt;alert(document.cookie)&lt;/script&gt;
/?page=vendor/index&sess=">&lt;script&gt;alert(document.cookie)&lt;/script&gt;
/?page=vendor/index&leftbar_title_bgcolor=">&lt;script&gt;alert(document.cookie)&lt;/script&gt;



Solution:
The developers were first notified of this issue early in December 2003. Initially we
kept in touch and exchanged ideas on the best way to resolve these issues. However I
not heard from the developers in over two weeks. I have tried reaching them via both 
email, and their forum to no avail. I do know that a fix/update is being developed, but
due to lack of communication I have no idea on the current progress of that. My advice
to phpShop owners/webmasters is to keep an eye on phpshop.org for a fix. It has been 
in development for roughly a month so I am pretty sure it will be public soon.



Credits:
Credits go to JeiAr of the GulfTech Security Research Team.
http://www.gulftech.org

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC