lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: npguy at ysgnet.com (01security) Subject: Serious Possible SQL Injection in munchahouse.com Ecommerce site Possible SQL Injection in munchahouse.com _____________________________________________________ Original release date: Jan 09, 2003 Last revised: Jan 09, 2003 Advisory ID: 24 Released by: 01 Security Submission Copyright : 2003-2004 by YSGNet* 01 Security ______________________________________________________ Severity : High .. very critical Impact : Manipulation of data, Exposure of system information Exposure of sensitive information Issue : Remote attackers can obtain complete control on database server Legal Notice: _____________________________________________________ You may not distribute whole or part without written permission. You may NOT modify it and distribute it or distribute parts of it without the 01Security written permission. Disclaimer: _____________________________________________________ 01Security is not liable for any damages caused by direct or indirect use of the information or functionality provided by this advisory. 01Security bears no responsibility for content or misuse of this advisory or any derivatives thereof. About Munchahouse.com _____________________________________________________ Munchahouse.com is e-commerce site currently sells various product. It is one of the popular shipping site in south-asia. Description: _____________________________________________________ Some vulnerabilities have been discovered in munchahouse Shopping Cart, which can be exploited by malicious people to conduct SQL injection attacks. The vulnerabilities are caused due to insufficient input validation. This can be exploited to manipulate existing SQL queries by including arbitrary SQL code. Successful exploitation may disclose sensitive information, allow manipulation of database content (e.g. adding new administrative users), or in the worst case allow execution of arbitrary code. Impact _____________________________________________________ The vulnerabilities allows any user to launch SQL injection attack. Which could lead to reveal several information. Database table can be dropped, modified or created. Procedure level attack can be launched. Proof of concept _____________________________________________________ Following example demonstrates how sql queries can be injected in your web site. Other exploitation has been avoided due to security concern. creation of a new table in the database ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ type followings in the browser addressbar: http://www.muncha.com/browse.asp?catid=11;create table tsttable(tstcol1 int, testcol2 varchar(10))-- Note: change the table name if it already exists. You can see this new table with the help of your sql-client. This example is mentioned here just to prove the site is vulnerable to sql injection. A lot of damages can be done by exploiting this vulnerability. For example, tables can be dropped, price of the goods can be changed, passwords can be stolen/changed and even your web site can be shut down or defaced. In other words, the whole database would be under the control of the possible attacker. Solution _____________________________________________________ Proper String parsing should be in place. Files those are available for administration should only be accessible after proper authentication. To prevent from these disastrous situations, 01security has some suggestion which can minimize the threats. 1. - Escape singe quotes (') from any input. 2. - Escape semi columns (;). 3. - Reject known bad input like "select", "insert", "update", "delete", "drop", "--", "'" etc. 4. - Suppress error messages. 5. - Regularly monitor your sql error log file. Background info _________________________________________________________ * Jan 09, 2004 : Vendor has been informed but the response was very late and seem to be ignoring actual fact. The response we got as following "I reviewed your report but as I am busy with my new site" and we were surprised to get "And as I use to receive notification as any error occurs on the site and from last few months I am receiving lots of error notice and useless users in my site I can understand it is due to your staff. that are working on my site. But we want you to stop working on our site. We are now unable to coup up with you, sorry for that. Due to our new site work is going on we will be unable to do anything beside it. " sent by so called a senior programmer Sailen Karmacharya <sailen@...cha.com> of Munchaouse Pvt Ltd. Credit _________________________________________________________ This vulnerability was discovered by 01 Security members Special thanks to minNapper. About 01 Security _________________________________________________________ 01 Security is one of the leading IT security group of Nepal,provides IT security services and products. 01 Security Contact _________________________________________________________ ZerOne Laboratory YSGNet* 37/74, Kathmandu - 9, Nepal Phone: 977-01-4467794 (time: 11am to 6pm, Monday off) Email: info@...ecurity.com URL: http://www.01security.com
Powered by blists - more mailing lists