Re: Another ProductCart SQL Injection Vulnerability

From: Massimo Arrigoni (supportat_private)
Date: Mon Jul 07 2003 - 12:59:05 PDT

Next message: sec-labs team: "Re: [sec-labs] Adobe Acrobat Reader <=5.0.7 Buffer Overflow Vulnerability + PoC code"

Previous message: Matt Zimmerman: "[SECURITY] [DSA-344-1] New unzip packages fix directory traversal"
Maybe in reply to: Bosen: "Another ProductCart SQL Injection Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) In-Reply-To: <20030705063915.10225.qmailat_private> Additional information on how to better protect a ProductCart-powered store, and specifically on how to avoid unauthorized access to stores using a MS Access database, is available at this address: http://www.earlyimpact.com/pdf/ProductCart_Security_Tips.pdf In addition, security updates and other support information for ProductCart users is always available at the ProductCart Support Center, located at the following address: http://www.earlyimpact.com/productcart/support/ If you have any questions, please contact Early Impact at supportat_private The Early Impact Team >Received: (qmail 22231 invoked from network); 7 Jul 2003 19:30:29 -0000 >Received: from outgoing3.securityfocus.com (205.206.231.27) > by mail.securityfocus.com with SMTP; 7 Jul 2003 19:30:29 -0000 >Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19]) > by outgoing3.securityfocus.com (Postfix) with QMQP > id 301F4A3236; Mon, 7 Jul 2003 13:14:55 -0600 (MDT) >Mailing-List: contact bugtraq-helpat_private; run by ezmlm >Precedence: bulk >List-Id: <bugtraq.list-id.securityfocus.com> >List-Post: <mailto:bugtraqat_private> >List-Help: <mailto:bugtraq-helpat_private> >List-Unsubscribe: <mailto:bugtraq-unsubscribeat_private> >List-Subscribe: <mailto:bugtraq-subscribeat_private> >Delivered-To: mailing list bugtraqat_private >Delivered-To: moderator for bugtraqat_private >Received: (qmail 25343 invoked from network); 5 Jul 2003 06:37:54 -0000 >Date: 5 Jul 2003 06:39:15 -0000 >Message-ID: <20030705063915.10225.qmailat_private> >Content-Type: text/plain >Content-Disposition: inline >Content-Transfer-Encoding: binary >MIME-Version: 1.0 >X-Mailer: MIME-tools 5.411 (Entity 5.404) >From: Massimo Arrigoni <supportat_private> >To: bugtraqat_private >Subject: Re: Another ProductCart SQL Injection Vulnerability > >In-Reply-To: <1057289439.3f04f4dfaf159at_private> > >Instructions on how to address this security issue: > >------------------------------------------------------------------- > >User of ProductCart v1.5 and before: >Please contact Early Impact ASAP to update to a later version of >ProductCart. Send a message to supportat_private The update is free. > >------------------------------------------------------------------- > >User of ProductCart v1.6: >Open the file "pcadmin/login.asp" and replace the following lines: > >pIdAdmin=replace(request.querystring("IdAdmin"),"'","''") >pAdminPassword=enDeCrypt(request.querystring("adminPassword"), scCrypPass) > >with > >pIdAdmin=replace(request.querystring("IdAdmin"),"'","''") >pIdAdmin=replace(pIdAdmin,"--","") >If NOT isNumeric(pIdAdmin) then >response.redirect "msg.asp?message=1" >response.end >end if pAdminPassword=enDeCrypt(request.querystring("adminPassword"), >scCrypPass) > >------------------------------------------------------------------- > >Users of ProductCart v2: >Replace "pcadmin/login.asp" with an updated version of this file that you >can request immediately by contacting Early Impact at >supportat_private > >------------------------------------------------------------------- > >We have already notified all ProductCart resellers of the above. We will >also notify within the next few hours all ProductCart users that have >purchased the software directly from us. > >At Early Impact we are working day and night to make our application as >secure as it can be. If you have any questions, please contact us at >supportat_private > >Best Regards, > >The Early Impact Team > > >>Received: (qmail 20442 invoked from network); 4 Jul 2003 14:55:16 -0000 >>Received: from outgoing3.securityfocus.com (205.206.231.27) >> by mail.securityfocus.com with SMTP; 4 Jul 2003 14:55:16 -0000 >>Received: from lists.securityfocus.com (lists.securityfocus.com >[205.206.231.19]) >> by outgoing3.securityfocus.com (Postfix) with QMQP >> id E4498A3228; Fri, 4 Jul 2003 08:56:07 -0600 (MDT) >>Mailing-List: contact bugtraq-helpat_private; run by ezmlm >>Precedence: bulk >>List-Id: <bugtraq.list-id.securityfocus.com> >>List-Post: <mailto:bugtraqat_private> >>List-Help: <mailto:bugtraq-helpat_private> >>List-Unsubscribe: <mailto:bugtraq-unsubscribeat_private> >>List-Subscribe: <mailto:bugtraq-subscribeat_private> >>Delivered-To: mailing list bugtraqat_private >>Delivered-To: moderator for bugtraqat_private >>Received: (qmail 13256 invoked from network); 4 Jul 2003 03:28:46 -0000 >>X-Qmail-Scanner-Mail-From: mobileat_private via prambanan.java.net.id >>X-Qmail-Scanner: 1.16 (Clear:SA:0(0.0/5.0):. Processed in 0.586905 secs) >>Message-ID: <1057289439.3f04f4dfaf159at_private> >>Date: Fri, 4 Jul 2003 10:30:39 +0700 >>From: Bosen <mobileat_private> >>To: bugsat_private, bugtraqat_private >>Subject: Another ProductCart SQL Injection Vulnerability >>MIME-Version: 1.0 >>Content-Type: text/plain; charset=ISO-8859-1 >>Content-Transfer-Encoding: 8bit >>X-Originating-IP: 202.73.121.173 >>X-Errot-Report-To: Agus Supriadhie <bosenat_private> >>X-Version: 3.1 >>X-Spam-Status: No, hits=0.0 required=5.0 >> tests=none >> version=2.55 >>X-Spam-Level: >>X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) >> >>ProductCart SQL Injection Vulnerability >>________________________________________________________________________ __ >_____ >> >> >>1ndonesian Security Team (1st) >>http://bosen.net/releases/ >>======================================================================== == >===== >>Security Advisory >> >> >> >>Advisory Name: ProductCart SQL Injection Vulnerability >> Release Date: 06/20/2003 >> Application: >> ProductCart v1.5 >> ProductCart v1.5002 >> ProductCart v1.5003 >> ProductCart v1.5003r >> ProductCart v1.5004 >> ProductCart v1.6b >> ProductCart v1.6br >> ProductCart v1.6br001 >> ProductCart v1.6br003 >> ProductCart v1.6b001 >> ProductCart v1.6b002 >> ProductCart v1.6b003 >> ProductCart v1.6002 >> ProductCart v1.6003 >> ProductCart v2 >> ProductCart v2br000 >> Platform: Win32/MSSQL >> Severity: High >> BUG Type: SQL Injection >> Author: Bosen <mobileat_private> >> Discover by: Bosen <mobileat_private> >>Vendor Status: See below. >> Vendor URL: http://www.earlyimpact.com/ >> Reference: http://bosen.net/releases/ >> >> >> >>Overview: >>From the web >>"ProductCart® is an ASP shopping cart that combines sophisticated >ecommerce >>features with time-saving store management tools and remarkable ease of >use." >>From the author >>"Even the application is not Open Source, but we can 'debug' the >application >>on the fly. And with SQL Injection we can query some information about >the >>tables >>and database, even the data it self. With more work will couse ability to >>access into >>the admin control panel site." >> >> >> >>Details: >>The error msg of the application handled very good, but not that good. >Couse >>still have >>XSS injection vulnerbility (read my previous advisories). Those error >handler >>would make >>exploitation very difficult to do. >>But, not all script handled by those error handler script. >>For example Custva.asp, its still vulnerable to SQL Injection. >> >>But the worst is, on the admin control panel which is can be injected by >old >>famous >>SQL injection 'or 1=1--'. Which makes you able to get access into admin >>control panel >>without needing any access. >> >> >> >>Exploits/POC: >>file Custva.asp >>http://>/productcart/pc/Custvb.asp?redirectUrl=&Email=% 27+having+1% >3D1-- >>&_email=email >>&password=asd&_password=required&Submit.x=33&Submit.y=5&Submit=Submit >> >>file login.asp >>http://>/produccart/pdacmin/login.asp?idadmin='' or 1=1-- >> >> >> >>Vendor Response: >>Contacted. No response yet. >> >> >> >>Recommendation: >>No recommendation for this. >> >> >> >>1ndonesian Security Team (1st) Advisory: >>http://bosen.net/releases/ >> >> >> >>About 1ndonesian Security Team: >>1ndonesian Security Team, research and develop intelligent, advanced >>application >>security assessment. Based in Indonesia, 1ndonesian Security Team offers >best >>of >>breed security consulting services, specialising in application, host and >>network >>security assessments. >> >>1st provides security information and patches for use by the entire 1st >>community. >> >>This information is provided freely to all interested parties and may be >>redistributed provided that it is not altered in any way, 1st is >appropriately >>credited and the document retains. >> >> >>Greetz to: >>AresU, TioEuy, sakitjiwa, muthafuka, alphacentury >>All 1ndonesian Security Team - #hackersat_private/centrin.net.id >> >> >> >> >> >> >> >>Bosen <mobileat_private> >>====================== >>Original document can be fount at http://bosen.net/releases/?id=40 >> >> >> >

Next message: sec-labs team: "Re: [sec-labs] Adobe Acrobat Reader <=5.0.7 Buffer Overflow Vulnerability + PoC code"
Previous message: Matt Zimmerman: "[SECURITY] [DSA-344-1] New unzip packages fix directory traversal"
Maybe in reply to: Bosen: "Another ProductCart SQL Injection Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 09 2003 - 10:51:41 PDT