lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1057289439.3f04f4dfaf159@webmail.bosen.net>
Date: Fri,  4 Jul 2003 10:30:39 +0700
From: Bosen <mobile@...en.net>
To: bugs@...uritytracker.com, bugtraq@...urityfocus.com
Subject: Another ProductCart SQL Injection Vulnerability


ProductCart SQL Injection Vulnerability
_______________________________________________________________________________


1ndonesian Security Team (1st)
http://bosen.net/releases/
===============================================================================
Security Advisory



Advisory Name: ProductCart SQL Injection Vulnerability
 Release Date: 06/20/2003
  Application: 
               ProductCart v1.5  
               ProductCart v1.5002                 
               ProductCart v1.5003                 
               ProductCart v1.5003r                 
               ProductCart v1.5004  
               ProductCart v1.6b  
               ProductCart v1.6br  
               ProductCart v1.6br001  
               ProductCart v1.6br003
               ProductCart v1.6b001
               ProductCart v1.6b002                              
               ProductCart v1.6b003               
               ProductCart v1.6002
               ProductCart v1.6003
               ProductCart v2
               ProductCart v2br000                                   
     Platform: Win32/MSSQL
     Severity: High
     BUG Type: SQL Injection
       Author: Bosen <mobile@...en.net>
  Discover by: Bosen <mobile@...en.net>
Vendor Status: See below.
   Vendor URL: http://www.earlyimpact.com/
    Reference: http://bosen.net/releases/



Overview:
From the web
"ProductCart® is an ASP shopping cart that combines sophisticated ecommerce 
features with time-saving store management tools and remarkable ease of use."
From the author
"Even the application is not Open Source, but we can 'debug' the application
on the fly. And with SQL Injection we can query some information about the 
tables
and database, even the data it self. With more work will couse ability to 
access into 
the admin control panel site."



Details:
The error msg of the application handled very good, but not that good. Couse 
still have
XSS injection vulnerbility (read my previous advisories). Those error handler 
would make
exploitation very difficult to do.
But, not all script handled by those error handler script. 
For example Custva.asp, its still vulnerable to SQL Injection. 

But the worst is, on the admin control panel which is can be injected by old 
famous 
SQL injection 'or 1=1--'. Which makes you able to get access into admin 
control panel
without needing any access.



Exploits/POC:
file Custva.asp
http://<target>/productcart/pc/Custvb.asp?redirectUrl=&Email=%27+having+1%3D1--
&_email=email
&password=asd&_password=required&Submit.x=33&Submit.y=5&Submit=Submit

file login.asp
http://<target>/produccart/pdacmin/login.asp?idadmin='' or 1=1--



Vendor Response:
Contacted. No response yet.



Recommendation:
No recommendation for this.



1ndonesian Security Team (1st) Advisory:
http://bosen.net/releases/



About 1ndonesian Security Team:
1ndonesian Security Team, research and develop intelligent, advanced 
application
security assessment. Based in Indonesia, 1ndonesian Security Team offers best 
of
breed security consulting services, specialising in application, host and 
network
security assessments.

1st provides security information and patches for use by the entire 1st 
community.

This information is provided freely to all interested parties and may be 
redistributed provided that it is not altered in any way, 1st is appropriately 
credited and the document retains.


Greetz to:
AresU, TioEuy, sakitjiwa, muthafuka, alphacentury 
All 1ndonesian Security Team - #hackers@...tnet.org/centrin.net.id







Bosen <mobile@...en.net>
======================
Original document can be fount at http://bosen.net/releases/?id=40




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ