eStore SQL Injection Vulnerability & Path Disclosure

From: Bosen (mobileat_private)
Date: Thu Jul 17 2003 - 05:28:46 PDT

Next message: Michal Krause: "Re: PHP safe mode broken?"

Previous message: Matt Zimmerman: "[SECURITY] [DSA-351-1] New php4 packages fix cross-site scripting vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

1ndonesian Security Team (1st)
http://bosen.net/releases/
==============================================================
Security Advisory



Advisory Name: eStore SQL Injection Vulnerability & Path Disclosure
 Release Date: 07/15/2003
  Application: eStore 1.0.1
               eStore 1.0.2
               eStore 1.0.2b
     Platform: PHP
     Severity: High
     BUG Type: SQL Injection
       Author: Bosen <mobileat_private>
  Discover by: Bosen <mobileat_private>
Vendor Status: See below.
   Vendor URL: http://www.brooky.com/
    Reference: http://bosen.net/releases/



Overview:
"eStore is a FREE* e-commerce store programmed using PHP and MySQL!"
What features does eStore have? 
Im not their sales so check out their webpage at http://www.brooky.com/



Details:
*** SQL Injection ***
On /admin/login.asp
[...]
if ($user && $pass)
{
  // If the user has just tried to log in
  $passwd = md5($pass);
  $query = "select * from ".$prefix."store_config where user='$user' 
and pass=('$passwd')";
  $result = mysql_query($query);
  if (mysql_num_rows($result) >0 )
  {
    // if they are in the database register the user for the session
    $admin = $user;
    session_register("admin");
  }
}
// Redirect user to request page on successful authentication
  if (session_is_registered("admin"))
  {
    echo "<Script 
language=\"javascript\">window.location=\"index.php\"</script>";
  }
  // If not display error messages
[...]

*** Path Disclosure *** 
Browse http://[target]/admin/settings.inc.php



Exploits/POC:
http://[target]/admin/login.asp?pass=1st&user<your 0day sql injection 
code>



Vendor Response:
Contacted. Patch/security fix released.



Recommendation:
Enable magic_quotes_gpc in php.ini
Use addslashes()


Patch:
in login.php
----- CODE MODIFIED -----
if ($_POST['user'] && $_POST['pass'])
{
  $user = addslashes($user);
  $pass = addslashes($pass);
---------------- END---------------
in edit_settings.inc.php

----- CODE MODIFIED AT START OF CODE -----
$sql_select = mysql_query( "select * from ".$prefix."store_config");
// fix for path disclosure
if(!$sql_select){
$home_url = $_SERVER['HTTP_HOST'];
 echo"<h1>MySQL Connection failed</h1>
 <p>Why?</p>
 <p>1. Because you are visiting settings.inc.php directly in your 
browser.
Please return to the home URL http://$home_url.>
 <p>2. Because your database settings could be incorrect or there is a
problem with the MySQL engine.</p>
 <p>If you continually see this message contact your hosting company or
visit <a href=\"http://cubecart.com\"
target=\"_blank\"></a>http://cubecart.com></p>";
 exit;
}




1ndonesian Security Team (1st) Advisory:
http://bosen.net/releases/



About 1ndonesian Security Team:
1ndonesian Security Team, research and develop intelligent, 
advanced application security assessment. Based in Indonesia,
1ndonesian Security Team offers best of breed security consulting 
services, specialising in application, host and network security 
assessments.

1st provides security information and patches for use by the entire 1st 
community.

This information is provided freely to all interested parties and may 
be redistributed provided that it is not altered in any way, 1st is 
appropriately credited and the document retains.







Bosen <mobileat_private>
======================
Original document can be fount at http://bosen.net/releases/?id=45

Next message: Michal Krause: "Re: PHP safe mode broken?"
Previous message: Matt Zimmerman: "[SECURITY] [DSA-351-1] New php4 packages fix cross-site scripting vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 17 2003 - 09:39:08 PDT