bug report comersus Back Office Lite 6.0 and 6.0.1

["raf somers" <beltech2bugtraq () hotmail com>]

Software: Comersus ASP Shopping Cart
Version: 6.0 Free version containing BackOffice Lite 6.0 and 6.01
Vendor: Comersus


1. Software Description
  --------------------
Comersus ASP shopping cart is a set of ASP scripts creating an online 
shoppingcart.
It works on a database of your own choosing, default is msaccess, and 
includes online
administration tools.

2. Vulnerability description
  -------------------------
    - bypassing administrator login
    - SQL injection
    - Design flaw
    - Cross Site Scripting


1. Bypassing the administrator login
  ----------------------------------
File: /backofficelite/comersus_backoffice_install10.asp
This file is the last step in the installation sequence of the ASP web Cart.
One doesn't have to be a shoppingcart administrator to execute this file.
Besides setting the value of some variables, it also contains the following 
code:
        session("admin")=1
registering the current session as having administrator rights on the 
shopping cart
software.
So by running this script one gives oneself full right to all the scripts, 
including
scripts to enter any SQL command, decrypt passwords, etc...

Workaround: deleting the file after install or renaming it.



2. Possible SQL injection
  ----------------------
File: /store/default.asp
If the option pIndexVisitsCounter is setto -1 (not default), this script 
will add a line to the database:

	 mySQL="INSERT INTO visits (userIp, referrer, visitDate, visitTime, 
idStore)
	 VALUES ('"&pUserIp&"','"&pReferrer&"','"&pVisitDate&"','"&pVisitTime&"'," 
&pIdStore& ")"

Interesting here is the pReferrer variable, which is loaded as follows:

        pReferrer       = request.ServerVariables("HTTP_Referer")

No further data validation is done on the mySQL string before it is send to 
the database
for processing. This allows the attacker to create his own HTTP GET request 
ans entering SQL
code into the referer field, e.g.:

                GET /comersus/store/default.asp HTTP/1.1
                Referer: <SQLCODE HERE>

Workaround: disable visitor logging (pIndexVisitsCounter=0)or add input 
check when loading pReferrer

3. Design Flaw
  -----------
Passwords are stored encrypted inside the database. Seeing that this 
software is Open Source,
the encryption and decryption algorythms or not unknown. The only thing an 
attacker needs when he
has obtained the passwords from the database, is the Encryption Key. 
Assuming the attacker has
access to the database (he obtained the encrypted password), he also has 
access to this key because
it is stored inside the same database.

Workaround: store the key in another place.

4. Cross site scripting attack
  ---------------------------
File: -comersus/backofficelite/comersus_supportError.asp
     -comersus/backofficelite/comersus_backofficelite_supportError.asp

example given: 
http://host/comersus/backofficelite/comersus_supportError.asp?error=<script>alert('hi%20mum');</script>


5. Additional Information
  ----------------------
The vendor was first contacted on 17-01-2005, update of this file wa sent on 
19-01-2005
Posted to BugTraq on: not yet posted
The vendor patched security holes and released version 6.0.2 on 19-01-2005, 
download it at
www.comersus.com. Their swift response is recomendable.

Comersus advisory: 
http://www.comersus.org/forum/displayMessage.asp?mid=32753


          <!---I would like to thank the Vendor for supporting Open 
Source.=--!>

_________________________________________________________________
Je auto snel en makkelijk online verkopen? http://auto.msn.be/verkopen/