('binary' encoding is not supported, stored as-is) In-Reply-To: <1057289439.3f04f4dfaf159at_private> Instructions on how to address this security issue: ------------------------------------------------------------------- User of ProductCart v1.5 and before: Please contact Early Impact ASAP to update to a later version of ProductCart. Send a message to supportat_private The update is free. ------------------------------------------------------------------- User of ProductCart v1.6: Open the file "pcadmin/login.asp" and replace the following lines: pIdAdmin=replace(request.querystring("IdAdmin"),"'","''") pAdminPassword=enDeCrypt(request.querystring("adminPassword"), scCrypPass) with pIdAdmin=replace(request.querystring("IdAdmin"),"'","''") pIdAdmin=replace(pIdAdmin,"--","") If NOT isNumeric(pIdAdmin) then response.redirect "msg.asp?message=1" response.end end if pAdminPassword=enDeCrypt(request.querystring("adminPassword"), scCrypPass) ------------------------------------------------------------------- Users of ProductCart v2: Replace "pcadmin/login.asp" with an updated version of this file that you can request immediately by contacting Early Impact at supportat_private ------------------------------------------------------------------- We have already notified all ProductCart resellers of the above. We will also notify within the next few hours all ProductCart users that have purchased the software directly from us. At Early Impact we are working day and night to make our application as secure as it can be. If you have any questions, please contact us at supportat_private Best Regards, The Early Impact Team >Received: (qmail 20442 invoked from network); 4 Jul 2003 14:55:16 -0000 >Received: from outgoing3.securityfocus.com (205.206.231.27) > by mail.securityfocus.com with SMTP; 4 Jul 2003 14:55:16 -0000 >Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19]) > by outgoing3.securityfocus.com (Postfix) with QMQP > id E4498A3228; Fri, 4 Jul 2003 08:56:07 -0600 (MDT) >Mailing-List: contact bugtraq-helpat_private; run by ezmlm >Precedence: bulk >List-Id: <bugtraq.list-id.securityfocus.com> >List-Post: <mailto:bugtraqat_private> >List-Help: <mailto:bugtraq-helpat_private> >List-Unsubscribe: <mailto:bugtraq-unsubscribeat_private> >List-Subscribe: <mailto:bugtraq-subscribeat_private> >Delivered-To: mailing list bugtraqat_private >Delivered-To: moderator for bugtraqat_private >Received: (qmail 13256 invoked from network); 4 Jul 2003 03:28:46 -0000 >X-Qmail-Scanner-Mail-From: mobileat_private via prambanan.java.net.id >X-Qmail-Scanner: 1.16 (Clear:SA:0(0.0/5.0):. Processed in 0.586905 secs) >Message-ID: <1057289439.3f04f4dfaf159at_private> >Date: Fri, 4 Jul 2003 10:30:39 +0700 >From: Bosen <mobileat_private> >To: bugsat_private, bugtraqat_private >Subject: Another ProductCart SQL Injection Vulnerability >MIME-Version: 1.0 >Content-Type: text/plain; charset=ISO-8859-1 >Content-Transfer-Encoding: 8bit >X-Originating-IP: 202.73.121.173 >X-Errot-Report-To: Agus Supriadhie <bosenat_private> >X-Version: 3.1 >X-Spam-Status: No, hits=0.0 required=5.0 > tests=none > version=2.55 >X-Spam-Level: >X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) > >ProductCart SQL Injection Vulnerability >__________________________________________________________________________ _____ > > >1ndonesian Security Team (1st) >http://bosen.net/releases/ >========================================================================== ===== >Security Advisory > > > >Advisory Name: ProductCart SQL Injection Vulnerability > Release Date: 06/20/2003 > Application: > ProductCart v1.5 > ProductCart v1.5002 > ProductCart v1.5003 > ProductCart v1.5003r > ProductCart v1.5004 > ProductCart v1.6b > ProductCart v1.6br > ProductCart v1.6br001 > ProductCart v1.6br003 > ProductCart v1.6b001 > ProductCart v1.6b002 > ProductCart v1.6b003 > ProductCart v1.6002 > ProductCart v1.6003 > ProductCart v2 > ProductCart v2br000 > Platform: Win32/MSSQL > Severity: High > BUG Type: SQL Injection > Author: Bosen <mobileat_private> > Discover by: Bosen <mobileat_private> >Vendor Status: See below. > Vendor URL: http://www.earlyimpact.com/ > Reference: http://bosen.net/releases/ > > > >Overview: >From the web >"ProductCart® is an ASP shopping cart that combines sophisticated ecommerce >features with time-saving store management tools and remarkable ease of use." >From the author >"Even the application is not Open Source, but we can 'debug' the application >on the fly. And with SQL Injection we can query some information about the >tables >and database, even the data it self. With more work will couse ability to >access into >the admin control panel site." > > > >Details: >The error msg of the application handled very good, but not that good. Couse >still have >XSS injection vulnerbility (read my previous advisories). Those error handler >would make >exploitation very difficult to do. >But, not all script handled by those error handler script. >For example Custva.asp, its still vulnerable to SQL Injection. > >But the worst is, on the admin control panel which is can be injected by old >famous >SQL injection 'or 1=1--'. Which makes you able to get access into admin >control panel >without needing any access. > > > >Exploits/POC: >file Custva.asp >http://
This archive was generated by hypermail 2b30 : Mon Jul 07 2003 - 13:26:22 PDT