[<prev] [next>] [day] [month] [year] [list]
Message-ID: <12616734793.20040114135926@ysgnet.com>
From: npguy at ysgnet.com (01security)
Subject: Serious SQL Injection in munchahouse.com : a shopping site.,
Serious SQL Injection in munchahouse.com
_____________________________________________________
Original release date: Jan 09, 2003
Last revised: Jan 09, 2003
Advisory ID: 24
Released by: 01 Security Submission
Copyright : 2003-2004 by YSGNet* 01 Security
______________________________________________________
Severity : High .. very critical
Impact : Manipulation of data, Exposure of system
information Exposure of sensitive information
Issue : Remote attackers can obtain complete control
on database server
Legal Notice:
_____________________________________________________
You may not distribute whole or part without written
permission. You may NOT modify it and distribute it
or distribute parts of it without the 01Security written
permission.
Disclaimer:
_____________________________________________________
01Security is not liable for any damages
caused by direct or indirect use of the information
or functionality provided by this advisory. 01Security
bears no responsibility for content or misuse of
this advisory or any derivatives thereof.
About Munchahouse.com
_____________________________________________________
Munchahouse.com is e-commerce site currently sells
various product. It is one of the popular shipping site
in south-asia.
Description:
_____________________________________________________
Some vulnerabilities have been discovered in munchahouse
Shopping Cart, which can be exploited by malicious
people to conduct SQL injection attacks.
The vulnerabilities are caused due to insufficient input
validation. This can be exploited to manipulate existing
SQL queries by including arbitrary SQL code.
Successful exploitation may disclose sensitive information,
allow manipulation of database content (e.g. adding new
administrative users), or in the worst case allow execution
of arbitrary code.
Impact
_____________________________________________________
The vulnerabilities allows any user to launch SQL injection
attack. Which could lead to reveal several information.
Database table can be dropped, modified or created.
Procedure level attack can be launched.
Proof of concept
_____________________________________________________
Following example demonstrates how sql queries can be
injected in your web site.
Other exploitation has been avoided due to security
concern.
creation of a new table in the database
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
type followings in the browser addressbar:
http://www.muncha.com/browse.asp?catid=11;create table
tsttable(tstcol1 int, testcol2 varchar(10))--
Note: change the table name if it already exists.
You can see this new table with the help of your
sql-client.
This example is mentioned here just to prove the
site is vulnerable to sql injection. A lot of damages
can be done by exploiting this vulnerability. For
example, tables can be dropped, price of the goods can
be changed, passwords can be stolen/changed and even
your web site can be shut down or defaced. In other
words, the whole database would be under the control of
the possible attacker.
Solution
_____________________________________________________
Proper String parsing should be in place. Files those are
available for administration should only be accessible
after proper authentication.
To prevent from these disastrous situations,
01security has some suggestion which can minimize the
threats.
1. - Escape singe quotes (') from any input.
2. - Escape semi columns (;).
3. - Reject known bad input like "select", "insert",
"update", "delete", "drop", "--", "'" etc.
4. - Suppress error messages.
5. - Regularly monitor your sql error log file.
Background info
_________________________________________________________
* Jan 09, 2004 : Vendor has been informed but the response was
very late and seem to be ignoring actual fact.
The response we got as following
"I reviewed your report but as I am busy with my new site"
and we were surprised to get
"And as I use to receive notification as any error
occurs on the site and from last few months I am receiving lots of error
notice and useless users in my site I can understand it is due to
your staff. that are working on my site. But we want you to stop working
on our site. We are now unable to coup up with you, sorry for that. Due
to our new site work is going on we will be unable to do anything beside it. "
sent by so called a senior programmer Sailen Karmacharya
<sailen@...cha.com> of Munchaouse Pvt Ltd.
Credit
_________________________________________________________
This vulnerability was discovered by 01 Security members
Special thanks to minNapper.
About 01 Security
_________________________________________________________
01 Security is one of the leading IT security group of
Nepal,provides IT security services and products.
01 Security Contact
_________________________________________________________
ZerOne Laboratory
YSGNet*
37/74, Kathmandu - 9, Nepal
Phone: 977-01-4467794 (time: 11am to 6pm, Monday off)
Email: info@...ecurity.com
URL: http://www.01security.com
Powered by blists - more mailing lists