lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: 16 May 2005 12:01:33 -0000
From: dedi dwianto <the_day@...o.or.id>
To: bugtraq@...urityfocus.com
Subject: Multiple Vulnerabilities in MetaCart e-Shop




____________________   ___ ___ ________
\_   _____/\_   ___ \ /   |   \\_____  \  
 |    __)_ /    \  \//    ~    \/   |   \ 
 |        \\     \___\    Y    /    |    \
/_______  / \______  /\___|_  /\_______  /
        \/         \/       \/         \/ 

    .OR.ID
ECHO_ADV_13$2005

---------------------------------------------------------------------------
                     Multiple Vulnerabilities in MetaCart e-Shop
---------------------------------------------------------------------------

Author: Dedi Dwianto
Date: May, 16th 2005
Location: Indonesia, Jakarta
Web: http://echo.or.id/adv/adv13-theday-2005.txt

---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application : MetaCart e-Shop
version: All version of MetaCart e shop Products
url : http://www.metalinks.com
Author: MetaLinks Online Design
Description: 

MetaCart e-Shop Is shopping cart application for small businesses
and support ms SQL,MS Access and MySQL.

---------------------------------------------------------------------------

Vulnerabilities:
~~~~~~~~~~~~~~~~

A. Cross-Site Scripting (XSS)
   
   File productsByCategory.asp

   http://[url]/mcartlite/productsByCategory.asp?intCatalogID=1&strCatalog_NAME=&lt;script&gt;alert('test')&lt;/script&gt;
   
   Problem Script productsByCategory.asp
   
   --------------
   strCatalog_name = Request.QueryString("strCatalog_NAME")
   ...
   ...
   strParam = Response.Write (rsCatalog("catalogID")) &strCatalog_NAME=Response.Write 
   (Server.URLEncode(rsCatalog("catalogName"))) &rsCatalog("catalogName")

   --------------

B. SQL Injection

   File productsByCategory.asp
   http://[url]/mcartlite/productsByCategory.asp?strSubCatalogID=2'(Sql Injection)
   
   Problem Script 
   
   --------------- 
   intCatalogID = Request.QueryString("intCatalogID")
   ...
   ...
   ' Build SQL String using the parameters
   strSQL = "SELECT productID,productName,productPrice FROM products WHERE catalogID = '"&strParam&"'"

   --------------- 

   Ex : http://www.metalinks.com/mcartlite/productsByCategory.asp?strSubCatalogID=2'having 1=1--
   Error :
   	   Microsoft JET Database Engine error '80040e14' 
	   Syntax error in string in query expression '1=1--''. 
	   /mcartlite/productsByCategory.asp, line 114

   File strCatalog_NAME
   http://[url]/mcartlite/product.asp?intProdID=1'(SQL Injection)

   Problem Script product.asp line 102

   ---------------
   intProdID = Request.QueryString("intProdID")
   ...
   ...
   Set rsProdInfo = Conn.Execute("SELECT * FROM " & _
		"products where productID="&intProdID)
	  if rsProdInfo.EOF then
		Response.Write "Product Number " & intProdID & _
			" does not exist."
   ---------------
     
C. Solution
   Using Replace String For Filter some character
	- productsByCategory.asp	
		
	  * Find 
            intCatalogID = Request.QueryString("intCatalogID")
	    After,add
            intCatalogID = Replace(intCatalogID,"'","")
	  * Find
            strCatalog_name = Request.QueryString("strCatalog_NAME")
            After,add
            strCatalog_name = Replace(strCatalog_NAME,"<","")
	
	- product.asp
	  
	  * Find
	    intProdID = Request.QueryString("intProdID")
            After,add
            intProdID = Replace(intProdID,"'","")
             


---------------------------------------------------------------------------

Shoutz:
~~~~~~~

~ y3dips, moby, comex, z3r0byt3, K-159, c-a-s-e, S`to, lirva32, anonymous
~ Lieur Euy , MSR
~ newbie_hacker@...oogroups.com ,
~ #e-c-h-o@...NET

---------------------------------------------------------------------------
Contact:
~~~~~~~~

     the_day || echo|staff || the_day[at]echo[dot]or[dot]id
     Homepage: http://theday.echo.or.id/

-------------------------------- [ EOF ] ----------------------------------


Powered by blists - more mailing lists