Full Disclosure mailing list archives
Comersus Shopping Cart Undisclosed Functionality
From: evol () ruiner halo nu
Date: Wed, 28 Jul 2004 23:08:16 -0500 (CDT)
Dear Readers: You may have heard of this application before. Here's a few excerpts from the chronicles of comersus shopping cart: 1.) http://secunia.com/advisories/12026/ "Thomas Ryan", XSS 2.) http://www.net-security.org/vuln.php?id=3559 "Thomas Ryan", Insecure Price Variables So, "Tommy Ryan" is intimately familiar with this product. In fact, he has detailed that he has sat on 3 vulnerabilities for this product! http://www.checksum.org/mla/7/message/1506.htm (Also a nice description of his 'disclosure' process) He has a right to be intimately familiar with this product, as he seems to own his own (albeit lowly) security company (www.providesecurity.com) based out of new york on 2027 East 71st Street. His company's phone number is [718] 444.3808. It may also at this time be noted, that he is an excellent graphics designer if you look on his web page. However, innocent looks can be decieving. It has come to evol's attention that Tommy has been hiding bugs inside this software and not disclosing the bugs. Evol thinks this practice of non-disclosure is dangerous to the internet community. Sure one might argue that Tommy telling his cat is not a huge risk for internet disclosure, i stand in disagreement (i have met his cat). So what does Evol do? Evol comes to the rescue! I have found the bug that tommy did not want to tell you independently. You can all relax now, the internet threat level is lower. Evol wants to make the internet community very happy, so he's going to release the bug pro-bono. It may also be noted at this time, that after carefull manipulation of the data contained in tommy's company's web-graphic and with the optimizations evol has independently discovered in AES brute-force decryption, that it actually contains a message. The message is, "I have told my cat how to get root, and the internet shall suffer my wrath". Your welcome internet security community. So what is the bug you ask? Improper input validation! Here's an excerpt of code: dim mySQL, conntemp, rstemp, pEmail, pPassword ---SNIP--- pEmail = getUserInput(request("email"),50) ---SNIP--- mySQL="SELECT idCustomer, idCustomerType, name, lastName FROM customers WHERE email='" &pEmail& "' AND password='" &EnCrypt(pPassword, pEncryptionPassword)& "' AND active=-1" ---SNIP--- so one thinks, no problem input validation happens in get user input. not the case: ===EXCERPT=== function getUserInput(input,stringLength) dim tempStr, newString, regEx Set regEx = New RegExp tempStr = left(trim(input),stringLength) regEx.Pattern = "([^A-Za-z0-9@.*|' _-]+)" regEx.IgnoreCase = True regEx.Global = True newString = regEx.Replace(tempStr, "") Set regEx = nothing ' replace due to DB hack threats newString = replace(newString,"--","") newString = replace(newString,";","") getUserInput = newString end function ===EXCERPT=== replace due to db hack threats! what about the single quote? for proof of concept, log into server with "username' OR 'hack'='hack". The more adventurous can turn this into command execution. Evol likes tommy though. Tommy publishes his own disclosure policy and adheres to it. Evol wants to follow suit. Evol's disclosure policy: 1.) Find bug 2.) Drink one (1) can of red bull sugar-free 3.) Take tab, and flip back and forth counting 0-1-0-1-0-1..etc 4.) If sugar-free redbull lands on 1, give vendor notification 5.) If sugar-free redbull lands on 0, proceed to step 7 6.) Notify vendor, waste lots of time telling them the problem and don't make money. 7.) Publish vulnerability, get lots of hapiness and lots of time to find more bugs. Fix of bug: =========== /includes/stringFunctions.asp: 24a25
newString = replace(newString,"'","")
Disclaimer: I am allowed to change my disclosure policy. If people enforce laws regarding disclosure policies I will find a way to leak vulnerabilities more slowly to the internet community whilst i live in Africa. In Africa, I will be able to spend all of my time researching vulnerabilities which will significantly increase the internet threat level. I do not want to be evil, or malicious but I also want freedom. I believe G.W. Bush should interfere with these pretend legislative bodies and give me freedom such as those he's giving to the iraqi people. But please if that does happen, don't let the troops strip my girlfriend nekked and subsequently torture her worse then she ever would have gotten tortured before. Don't get caught in the publicity Or caught in the hype Hackers are, regular people minus coding all night Searching for sloppy coding, bugs in logic Yeah, my rapping skills are new-wave compared to eeye. -Evol _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Comersus Shopping Cart Undisclosed Functionality evol (Jul 29)