lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1058444926.3f16967e43a97@webmail.bosen.net>
Date: Thu, 17 Jul 2003 19:28:46 +0700
From: Bosen <mobile@...en.net>
To: bugtraq@...urityfocus.com
Subject: eStore SQL Injection Vulnerability & Path Disclosure


1ndonesian Security Team (1st)
http://bosen.net/releases/
==============================================================
Security Advisory



Advisory Name: eStore SQL Injection Vulnerability & Path Disclosure
 Release Date: 07/15/2003
  Application: eStore 1.0.1
               eStore 1.0.2
               eStore 1.0.2b
     Platform: PHP
     Severity: High
     BUG Type: SQL Injection
       Author: Bosen <mobile@...en.net>
  Discover by: Bosen <mobile@...en.net>
Vendor Status: See below.
   Vendor URL: http://www.brooky.com/
    Reference: http://bosen.net/releases/



Overview:
"eStore is a FREE* e-commerce store programmed using PHP and MySQL!"
What features does eStore have? 
Im not their sales so check out their webpage at http://www.brooky.com/



Details:
*** SQL Injection ***
On /admin/login.asp
[...]
if ($user && $pass)
{
  // If the user has just tried to log in
  $passwd = md5($pass);
  $query = "select * from ".$prefix."store_config where user='$user' 
and pass=('$passwd')";
  $result = mysql_query($query);
  if (mysql_num_rows($result) >0 )
  {
    // if they are in the database register the user for the session
    $admin = $user;
    session_register("admin");
  }
}
// Redirect user to request page on successful authentication
  if (session_is_registered("admin"))
  {
    echo "<Script 
language=\"javascript\">window.location=\"index.php\"</script>";
  }
  // If not display error messages
[...]

*** Path Disclosure *** 
Browse http://[target]/admin/settings.inc.php



Exploits/POC:
http://[target]/admin/login.asp?pass=1st&user<your 0day sql injection 
code>



Vendor Response:
Contacted. Patch/security fix released.



Recommendation:
Enable magic_quotes_gpc in php.ini
Use addslashes()


Patch:
in login.php
----- CODE MODIFIED -----
if ($_POST['user'] && $_POST['pass'])
{
  $user = addslashes($user);
  $pass = addslashes($pass);
---------------- END---------------
in edit_settings.inc.php

----- CODE MODIFIED AT START OF CODE -----
$sql_select = mysql_query( "select * from ".$prefix."store_config");
// fix for path disclosure
if(!$sql_select){
$home_url = $_SERVER['HTTP_HOST'];
 echo"<h1>MySQL Connection failed</h1>
 <p>Why?</p>
 <p>1. Because you are visiting settings.inc.php directly in your 
browser.
Please return to the home URL http://$home_url.</p>
 <p>2. Because your database settings could be incorrect or there is a
problem with the MySQL engine.</p>
 <p>If you continually see this message contact your hosting company or
visit <a href=\"http://cubecart.com\"
target=\"_blank\"></a>http://cubecart.com</a></p>";
 exit;
}




1ndonesian Security Team (1st) Advisory:
http://bosen.net/releases/



About 1ndonesian Security Team:
1ndonesian Security Team, research and develop intelligent, 
advanced application security assessment. Based in Indonesia,
1ndonesian Security Team offers best of breed security consulting 
services, specialising in application, host and network security 
assessments.

1st provides security information and patches for use by the entire 1st 
community.

This information is provided freely to all interested parties and may 
be redistributed provided that it is not altered in any way, 1st is 
appropriately credited and the document retains.







Bosen <mobile@...en.net>
======================
Original document can be fount at http://bosen.net/releases/?id=45




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ