OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Ignacio Vazquez (infosecmanager_at_centaura.com.ar)
Date: Wed Jan 08 2003 - 10:02:39 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Centaura Technologies Security Research Lab Advisory

    Product Name: a.shopKart Web Shopping Cart
    Systems: Windows NT/2000/.NET Server
    Severity: High Risk
    Remote: Yes
    Category: Insuficient input checking
    Vendor URL: http://www.urlogy.com
    Advisory Author: Ignacio Vazquez
    Advisory URL: http://www.centaura.com.ar/infosec/adv/ashopkart.txt
    Revised-Date: January 9, 2003
    Advisory Code: CTADVIIC046

    .:Introduction

    a.shopKart is a free shopping cart developed in ASP.
    Its features include product updating, customer management, etc

    .: Impact
    An attacker can access sensitive information within the system
    database.

    This can lead to sensitive personal information disclosure, including
    but not limiting to credit card information, address and telephone
    numbers.

    .: Description
    The program is vulnerable in several spots along the code.
    There's a basic input checking function ( TwoSingleQ(str) ) but
    it's not applied everywhere, leaving potencial exploitable holes.

    The following statement shows the vulnerable points
    (taken from addcustomer.asp).

    Here "zip", "state", "country", "phone" and "fax" are unchecked for
    SQL Injection vulnerabilities.

    sqlAdd = "INSERT INTO customers(cfirstname,clastname,cemail,caddress"
            If Request.Form("address2") <> "" Then
                    sqlAdd = sqlAdd & ",caddress2"
            end if
            sqlAdd = sqlAdd & ",ctown,czip"
            If Request.Form("state") <> "" Then
                    sqlAdd = sqlAdd & ",cstate"
            End if
            sqlAdd = sqlAdd & ",ccountry,cphone"
            If Request.Form("fax") <> "" Then
                    sqlAdd = sqlAdd & ",cfax"
            End if
            sqlAdd = sqlAdd & ") VALUES("
            sqlAdd = sqlAdd & "'" & TwoSingleQ(fname) & "'"
            sqlAdd = sqlAdd & ",'" & TwoSingleQ(lname) & "'"
            sqlAdd = sqlAdd & ",'" & TwoSingleQ(email) & "'"
            sqlAdd = sqlAdd & ",'" & TwoSingleQ(address) & "'"
            If Request.Form("address2") <> "" Then
            sqlAdd = sqlAdd & ",'" & TwoSingleQ(Request.Form("address2")) & "'"
            end if
            sqlAdd = sqlAdd & ",'" & TwoSingleQ(town) & "'"
            sqlAdd = sqlAdd & ",'" & zip & "'"
            If Request.Form("state") <> "" Then
                    sqlAdd = sqlAdd & ",'" & Request.Form("state") & "'"
            End if
            sqlAdd = sqlAdd & ",'" & country & "'"
            sqlAdd = sqlAdd & ",'" & phone & "'"
            If Request.Form("fax") <> "" Then
                    sqlAdd = sqlAdd & ",'" & Request.Form("fax") & "'"
            End If
            sqlAdd = sqlAdd & ")"
            
    At least addcustomer.asp, addprod.asp, process.asp are vulnerable to
    this type of attacks.

    .: Official Fix Information

    The vendor has been contacted but no fix has been released yet.

    -----

    Ignacio Vazquez
    <ivazquezcentaura.com.ar>

    Director of Technology
    Security Labs Manager

    Centaura Technologies
    http://www.centaura.com.ar