[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1058444926.3f16967e43a97@webmail.bosen.net>
Date: Thu, 17 Jul 2003 19:28:46 +0700
From: Bosen <mobile@...en.net>
To: bugtraq@...urityfocus.com
Subject: eStore SQL Injection Vulnerability & Path Disclosure
1ndonesian Security Team (1st)
http://bosen.net/releases/
==============================================================
Security Advisory
Advisory Name: eStore SQL Injection Vulnerability & Path Disclosure
Release Date: 07/15/2003
Application: eStore 1.0.1
eStore 1.0.2
eStore 1.0.2b
Platform: PHP
Severity: High
BUG Type: SQL Injection
Author: Bosen <mobile@...en.net>
Discover by: Bosen <mobile@...en.net>
Vendor Status: See below.
Vendor URL: http://www.brooky.com/
Reference: http://bosen.net/releases/
Overview:
"eStore is a FREE* e-commerce store programmed using PHP and MySQL!"
What features does eStore have?
Im not their sales so check out their webpage at http://www.brooky.com/
Details:
*** SQL Injection ***
On /admin/login.asp
[...]
if ($user && $pass)
{
// If the user has just tried to log in
$passwd = md5($pass);
$query = "select * from ".$prefix."store_config where user='$user'
and pass=('$passwd')";
$result = mysql_query($query);
if (mysql_num_rows($result) >0 )
{
// if they are in the database register the user for the session
$admin = $user;
session_register("admin");
}
}
// Redirect user to request page on successful authentication
if (session_is_registered("admin"))
{
echo "<Script
language=\"javascript\">window.location=\"index.php\"</script>";
}
// If not display error messages
[...]
*** Path Disclosure ***
Browse http://[target]/admin/settings.inc.php
Exploits/POC:
http://[target]/admin/login.asp?pass=1st&user<your 0day sql injection
code>
Vendor Response:
Contacted. Patch/security fix released.
Recommendation:
Enable magic_quotes_gpc in php.ini
Use addslashes()
Patch:
in login.php
----- CODE MODIFIED -----
if ($_POST['user'] && $_POST['pass'])
{
$user = addslashes($user);
$pass = addslashes($pass);
---------------- END---------------
in edit_settings.inc.php
----- CODE MODIFIED AT START OF CODE -----
$sql_select = mysql_query( "select * from ".$prefix."store_config");
// fix for path disclosure
if(!$sql_select){
$home_url = $_SERVER['HTTP_HOST'];
echo"<h1>MySQL Connection failed</h1>
<p>Why?</p>
<p>1. Because you are visiting settings.inc.php directly in your
browser.
Please return to the home URL http://$home_url.</p>
<p>2. Because your database settings could be incorrect or there is a
problem with the MySQL engine.</p>
<p>If you continually see this message contact your hosting company or
visit <a href=\"http://cubecart.com\"
target=\"_blank\"></a>http://cubecart.com</a></p>";
exit;
}
1ndonesian Security Team (1st) Advisory:
http://bosen.net/releases/
About 1ndonesian Security Team:
1ndonesian Security Team, research and develop intelligent,
advanced application security assessment. Based in Indonesia,
1ndonesian Security Team offers best of breed security consulting
services, specialising in application, host and network security
assessments.
1st provides security information and patches for use by the entire 1st
community.
This information is provided freely to all interested parties and may
be redistributed provided that it is not altered in any way, 1st is
appropriately credited and the document retains.
Bosen <mobile@...en.net>
======================
Original document can be fount at http://bosen.net/releases/?id=45
Powered by blists - more mailing lists