CactuShop Input Validation Holes in 'mailorder.asp' and 'payonline.asp' Let Remote Users Inject SQL Commands and Execute Operating System Commands
SecurityTracker Alert ID: 1009601|
SecurityTracker URL: http://securitytracker.com/id/1009601
(Links to External Site)
Date: Mar 31 2004
Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network|
Vendor Confirmed: Yes Exploit Included: Yes |
Some vulnerabilities were reported in CactuShop. A remote user can inject SQL commands and execute arbitrary operating system commands. A remote user can also conduct cross-site scripting attacks.|
S-Quadra reported that the 'mailorder.asp' and 'payonline.asp' scripts do not properly validate user-supplied input in the 'strItems' parameter. A remote user can reportedly supply a specially crafted URL to execute SQL commands on the underlying database. This can be used to invoke the xp_cmdshell() function to execute operating system commands, the advisory noted.
A demonstration exploit value for 'payonline.asp' that will execute the 'dir c:' command is provided:
It is also reported that the 'largeimage.asp'script does not filter HTML scripting code from user-supplied input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the CactuShop software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user. A demonstration exploit URL is provided:
The original advisory is available at:
The vendor was reportedly notified on March 11, 2004. After the initial fix failed to fully correct the problem, the vendor was reportedly notified on March 16 and 26, 2004, without response.
A remote user can execute SQL commands on the underlying database, including operating system commands.|
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the CactuShop software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
No solution was available at the time of this entry.|
On March 15, 2004 the vendor reportedly issued a fix but S-Quadra indicates that the fix did not fully correct the vulnerabilities.
Vendor URL: www.cactushop.com/main/default.asp (Links to External Site)
Input validation error|
|Underlying OS: Windows (NT), Windows (2000), Windows (2003)|
Source Message Contents
S-Quadra Advisory #2004-03-31
Topic: CactuSoft CactuShop v5.x shopping cart software multiple security
Vendor URL: http://www.cactushop.com
Advisory URL: http://www.s-quadra.com/advisories/Adv-20040331.txt
Release date: 31 Mar 2004
CactuShop is an ASP application for running an e-commerce web site. It
incorporates a databased catalogue system, front end pages for product
navigation, back end pages for updating product details and robust
basket code for memorizing product selections as a visitor moves around
the web site. ASP software is designed to run on a Microsoft NT or Win
2000 server and to use MS Access, MS SQL Server or MySQL as a backend.
Please visit http://www.cactushop.com for information about CactuShop
-- Vulnerability 1: SQL Injection vulnerability
An SQL Injection vulnerability has been found in following scripts :
'mailorder.asp' and 'payonline.asp'. User supplied input parameter is
'strItems' not filtered before being used in an SQL query. Thus the
query modification through malformed input is possible.
Successful exploitation of this vulnerability can enable an attacker
to execute commands in the system (via MS SQL xp_cmdshell function).
-- Vulnerability 2: Cross Site Scripting vulnerability found in
user to visit it a remote attacker can steal user session id and gain
access to user's personal data.
Platform: MS SQL Server as a backend
Posting this data to 'payonline.asp' executes 'dir c:' command
-- Vulnerability 2:
3. FIX INFORMATION
11 Mar 2004: S-Quadra alerted CactuSoft (CactuShop developers) on these
15 Mar 2004: CactuSoft response:
"1) SQL Injection
On payonline.asp and all mailorder pages the strItems field is now
parsed for single-quote (') characters before being used with database
queries. Single quotes are escaped (replaced with 2 single-quotes) to
ensure SQL Injection won't work.
The strImageTag field is parse for HTML tags characters (< and >) and
are removed from the string. This should ensure against <script> and any
other HTML tags.
This can be tested on the demo of the new CactuShop v5.1
16 Mar 2004: S-Quadra tested patched version of CactuShop.
Vulnerabilities not fixed. New PoC Code:
For SQL Injection
16 Mar 2004: S-Quadra alerted CactuSoft about new PoC Code.
26 Mar 2004: S-Quadra alerted CactuSoft about new PoC Code.
From 03.16.2004 Cactusoft dropped their communication with us so no
further response has been received therefore no new Fix information is
Nick Gudov, chief security researcher at S-Quadra <firstname.lastname@example.org>
has detected above mentioned vulnerabilities.
S-Quadra dedicates its substantial knowledge and resources to managing
clients' IT security risks. S-Quadra audits and protection for software
and networks implement pioneering methods and ground-breaking
S-Quadra Advisory #2004-03-31