lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: 5 Jul 2003 06:39:15 -0000
From: Massimo Arrigoni <support@...lyimpact.com>
To: bugtraq@...urityfocus.com
Subject: Re: Another ProductCart SQL Injection Vulnerability


In-Reply-To: <1057289439.3f04f4dfaf159@...mail.bosen.net>

Instructions on how to address this security issue:
 
-------------------------------------------------------------------
 
User of ProductCart v1.5 and before:
Please contact Early Impact ASAP to update to a later version of 
ProductCart. Send a message to support@...lyimpact.com. The update is free.
 
-------------------------------------------------------------------
 
User of ProductCart v1.6:
Open the file "pcadmin/login.asp" and replace the following lines:
 
pIdAdmin=replace(request.querystring("IdAdmin"),"'","''")
pAdminPassword=enDeCrypt(request.querystring("adminPassword"), scCrypPass)
 
with
 
pIdAdmin=replace(request.querystring("IdAdmin"),"'","''")
pIdAdmin=replace(pIdAdmin,"--","")
If NOT isNumeric(pIdAdmin) then
response.redirect "msg.asp?message=1"
response.end
end if pAdminPassword=enDeCrypt(request.querystring("adminPassword"), 
scCrypPass)
 
-------------------------------------------------------------------

Users of ProductCart v2:
Replace "pcadmin/login.asp" with an updated version of this file that you 
can request immediately by contacting Early Impact at 
support@...lyimpact.com
 
-------------------------------------------------------------------

We have already notified all ProductCart resellers of the above. We will 
also notify within the next few hours all ProductCart users that have 
purchased the software directly from us.

At Early Impact we are working day and night to make our application as 
secure as it can be. If you have any questions, please contact us at 
support@...lyimpact.com

Best Regards,

The Early Impact Team
 

>Received: (qmail 20442 invoked from network); 4 Jul 2003 14:55:16 -0000
>Received: from outgoing3.securityfocus.com (205.206.231.27)
>  by mail.securityfocus.com with SMTP; 4 Jul 2003 14:55:16 -0000
>Received: from lists.securityfocus.com (lists.securityfocus.com 
[205.206.231.19])
>	by outgoing3.securityfocus.com (Postfix) with QMQP
>	id E4498A3228; Fri,  4 Jul 2003 08:56:07 -0600 (MDT)
>Mailing-List: contact bugtraq-help@...urityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@...urityfocus.com>
>List-Help: <mailto:bugtraq-help@...urityfocus.com>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe@...urityfocus.com>
>List-Subscribe: <mailto:bugtraq-subscribe@...urityfocus.com>
>Delivered-To: mailing list bugtraq@...urityfocus.com
>Delivered-To: moderator for bugtraq@...urityfocus.com
>Received: (qmail 13256 invoked from network); 4 Jul 2003 03:28:46 -0000
>X-Qmail-Scanner-Mail-From: mobile@...en.net via prambanan.java.net.id
>X-Qmail-Scanner: 1.16 (Clear:SA:0(0.0/5.0):. Processed in 0.586905 secs)
>Message-ID: <1057289439.3f04f4dfaf159@...mail.bosen.net>
>Date: Fri,  4 Jul 2003 10:30:39 +0700
>From: Bosen <mobile@...en.net>
>To: bugs@...uritytracker.com, bugtraq@...urityfocus.com
>Subject: Another ProductCart SQL Injection Vulnerability
>MIME-Version: 1.0
>Content-Type: text/plain; charset=ISO-8859-1
>Content-Transfer-Encoding: 8bit
>X-Originating-IP: 202.73.121.173
>X-Errot-Report-To: Agus Supriadhie <bosen@...ionline.org>
>X-Version: 3.1
>X-Spam-Status: No, hits=0.0 required=5.0
>	tests=none
>	version=2.55
>X-Spam-Level: 
>X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
>
>ProductCart SQL Injection Vulnerability
>__________________________________________________________________________
_____
>
>
>1ndonesian Security Team (1st)
>http://bosen.net/releases/
>==========================================================================
=====
>Security Advisory
>
>
>
>Advisory Name: ProductCart SQL Injection Vulnerability
> Release Date: 06/20/2003
>  Application: 
>               ProductCart v1.5  
>               ProductCart v1.5002                 
>               ProductCart v1.5003                 
>               ProductCart v1.5003r                 
>               ProductCart v1.5004  
>               ProductCart v1.6b  
>               ProductCart v1.6br  
>               ProductCart v1.6br001  
>               ProductCart v1.6br003
>               ProductCart v1.6b001
>               ProductCart v1.6b002                              
>               ProductCart v1.6b003               
>               ProductCart v1.6002
>               ProductCart v1.6003
>               ProductCart v2
>               ProductCart v2br000                                   
>     Platform: Win32/MSSQL
>     Severity: High
>     BUG Type: SQL Injection
>       Author: Bosen <mobile@...en.net>
>  Discover by: Bosen <mobile@...en.net>
>Vendor Status: See below.
>   Vendor URL: http://www.earlyimpact.com/
>    Reference: http://bosen.net/releases/
>
>
>
>Overview:
>From the web
>"ProductCart® is an ASP shopping cart that combines sophisticated 
ecommerce 
>features with time-saving store management tools and remarkable ease of 
use."
>From the author
>"Even the application is not Open Source, but we can 'debug' the 
application
>on the fly. And with SQL Injection we can query some information about 
the 
>tables
>and database, even the data it self. With more work will couse ability to 
>access into 
>the admin control panel site."
>
>
>
>Details:
>The error msg of the application handled very good, but not that good. 
Couse 
>still have
>XSS injection vulnerbility (read my previous advisories). Those error 
handler 
>would make
>exploitation very difficult to do.
>But, not all script handled by those error handler script. 
>For example Custva.asp, its still vulnerable to SQL Injection. 
>
>But the worst is, on the admin control panel which is can be injected by 
old 
>famous 
>SQL injection 'or 1=1--'. Which makes you able to get access into admin 
>control panel
>without needing any access.
>
>
>
>Exploits/POC:
>file Custva.asp
>http://<target>/productcart/pc/Custvb.asp?redirectUrl=&Email=%27+having+1%
3D1--
>&_email=email
>&password=asd&_password=required&Submit.x=33&Submit.y=5&Submit=Submit
>
>file login.asp
>http://<target>/produccart/pdacmin/login.asp?idadmin='' or 1=1--
>
>
>
>Vendor Response:
>Contacted. No response yet.
>
>
>
>Recommendation:
>No recommendation for this.
>
>
>
>1ndonesian Security Team (1st) Advisory:
>http://bosen.net/releases/
>
>
>
>About 1ndonesian Security Team:
>1ndonesian Security Team, research and develop intelligent, advanced 
>application
>security assessment. Based in Indonesia, 1ndonesian Security Team offers 
best 
>of
>breed security consulting services, specialising in application, host and 
>network
>security assessments.
>
>1st provides security information and patches for use by the entire 1st 
>community.
>
>This information is provided freely to all interested parties and may be 
>redistributed provided that it is not altered in any way, 1st is 
appropriately 
>credited and the document retains.
>
>
>Greetz to:
>AresU, TioEuy, sakitjiwa, muthafuka, alphacentury 
>All 1ndonesian Security Team - #hackers@...tnet.org/centrin.net.id
>
>
>
>
>
>
>
>Bosen <mobile@...en.net>
>======================
>Original document can be fount at http://bosen.net/releases/?id=40
>
>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ