lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <6815089858.20040114133201@ysgnet.com>
From: npguy at ysgnet.com (01security)
Subject: Serious Possible SQL Injection in munchahouse.com Ecommerce site

Possible SQL Injection in munchahouse.com
_____________________________________________________

Original release date: Jan 09, 2003
Last revised: Jan 09, 2003
Advisory ID: 24
Released by: 01 Security Submission
Copyright : 2003-2004 by YSGNet* 01 Security
______________________________________________________

Severity : High .. very critical

Impact   : Manipulation of data, Exposure of system
           information Exposure of sensitive information
           
Issue    : Remote attackers can obtain complete control
           on database server
           

Legal Notice:
_____________________________________________________

You may not distribute whole or part without written
permission. You may NOT modify it and distribute it
or distribute parts of it without the 01Security written
permission.


Disclaimer:
_____________________________________________________

01Security is not liable for any damages
caused by direct or indirect use of the information
or functionality provided by this advisory. 01Security
bears no responsibility for content or misuse of
this advisory or any derivatives thereof.


About Munchahouse.com
_____________________________________________________

Munchahouse.com is e-commerce site currently sells
various product. It is one of the popular shipping site
in south-asia.



Description:
_____________________________________________________

Some vulnerabilities have been discovered in munchahouse
Shopping Cart, which can be exploited by malicious
people to conduct SQL injection attacks.

The vulnerabilities are caused due to insufficient input
validation. This can be exploited to manipulate existing
SQL queries by including arbitrary SQL code.

Successful exploitation may disclose sensitive information,
allow manipulation of database content (e.g. adding new
administrative users), or in the worst case allow execution
of arbitrary code.


Impact
_____________________________________________________

The vulnerabilities allows any user to launch SQL injection
attack. Which could lead to reveal several information.
Database table can be dropped, modified or created.
Procedure level attack can be launched.


Proof of concept
_____________________________________________________

Following example demonstrates how sql queries can be
injected in your web site.

Other exploitation has been avoided due to security
concern.

creation of a new table in the database
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

type followings in the browser addressbar:
http://www.muncha.com/browse.asp?catid=11;create table
tsttable(tstcol1 int, testcol2 varchar(10))--

Note: change the table name if it already exists.

You can see this new table with the help of your
sql-client.


This example is mentioned here just to prove the
site is vulnerable to sql injection. A lot of damages
can be done by exploiting this vulnerability. For
example, tables can be dropped, price of the goods can
be changed, passwords can be stolen/changed and even
your web site can be shut down or defaced. In other
words, the whole database would be under the control of
the possible attacker.

Solution
_____________________________________________________

Proper String parsing should be in place. Files those are
available for administration should only be accessible
after proper authentication.

To prevent from these disastrous situations,
01security has some suggestion which can minimize the
threats. 

1. - Escape singe quotes (') from any input.

2. - Escape semi columns (;). 

3. - Reject known bad input like "select", "insert",
"update", "delete", "drop", "--", "'" etc.

4. - Suppress  error messages.

5. - Regularly monitor your sql error log file.


Background info
_________________________________________________________

* Jan 09, 2004 :  Vendor has been informed but the response was
very late and seem to be ignoring actual fact.

The response we got as following

"I reviewed your report but as I am busy with my new site"

and we were surprised to get

"And as I use to receive notification as any error
 occurs on the site and from last few months I am receiving lots of error
 notice and useless users in my site I can understand it is due to
 your staff. that are working on my site. But we want you to stop working
 on our site.  We are now unable to coup up with you, sorry for that. Due
 to our new site work  is going on we will be unable to do anything beside it. "

sent by so called a senior programmer Sailen Karmacharya
<sailen@...cha.com> of Munchaouse Pvt Ltd.


Credit
_________________________________________________________
This vulnerability was discovered by 01 Security members
Special thanks to minNapper.


About 01 Security
_________________________________________________________

01 Security is one of the leading IT security group of
Nepal,provides IT security services and products.


01 Security Contact
_________________________________________________________

ZerOne Laboratory
YSGNet*
37/74, Kathmandu - 9, Nepal
Phone: 977-01-4467794 (time: 11am to 6pm, Monday off)
Email: info@...ecurity.com
URL: http://www.01security.com



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ