Computer Security

Security Advisory: Multiple Vulnerabilities in MetaCart e-Shop
back  news / advisories / forum / software / advertising / search / exploits  forward
[EN] securityvulns.ru
no-pyccku



Related information

  PHP, ASP, CGI web applications security vulnerabilities

  [SA15421] Groove Virtual Office / Workspace Multiple Vulnerabilities

  [BuHa Security] Wordpress SQL-Injection

  [SA15325] TOPo Multiple Vulnerabilities

  [EXPL] Invision Power Board SQL Injection Vulnerability (member_id, Exploit)

From:dedi dwianto <the_day_(at)_echo.or.id>
Date:17.05.2005
Subject:Multiple Vulnerabilities in MetaCart e-Shop



____________________   ___ ___ ________
\_   _____/\_   ___ \ /   |   \\_____  \  
|    __)_ /    \  \//    ~    \/   |   \
|        \\     \___\    Y    /    |    \
/_______  / \______  /\___|_  /\_______  /
       \/         \/       \/         \/

   .OR.ID
ECHO_ADV_13$2005

---------------------------------------------------------------------------
                    Multiple Vulnerabilities in MetaCart e-Shop
---------------------------------------------------------------------------

Author: Dedi Dwianto
Date: May, 16th 2005
Location: Indonesia, Jakarta
Web: http://echo.or.id/adv/adv13-theday-2005.txt

---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application : MetaCart e-Shop
version: All version of MetaCart e shop Products
url : http://www.metalinks.com
Author: MetaLinks Online Design
Description:

MetaCart e-Shop Is shopping cart application for small businesses
and support ms SQL,MS Access and MySQL.

---------------------------------------------------------------------------

Vulnerabilities:
~~~~~~~~~~~~~~~~

A. Cross-Site Scripting (XSS)
  
  File productsByCategory.asp

 
http://[url]/mcartlite/productsByCategory.
asp?intCatalogID=1&strCatalog_NAME=<script>alert('test')<
/script>
  
  Problem Script productsByCategory.asp
  
  --------------
  strCatalog_name = Request.QueryString("strCatalog_NAME")
  ...
  ...
  strParam = Response.Write (rsCatalog("catalogID")) &strCatalog_NAME=Response.Write
  (Server.URLEncode(rsCatalog("catalogName"))) &rsCatalog("catalogName")

  --------------

B. SQL Injection

  File productsByCategory.asp
  http://[url]/mcartlite/productsByCategory.asp?strSubCatalogID=2'(Sql Injection)
  
  Problem Script
  
  ---------------
  intCatalogID = Request.QueryString("intCatalogID")
  ...
  ...
  ' Build SQL String using the parameters
  strSQL = "SELECT productID,productName,productPrice FROM products WHERE catalogID = '"&strParam&"'"

  ---------------

  Ex : http://www.metalinks.com/mcartlite/productsByCategory.asp?strSubCatalogID=2'h
aving 1=1--
  Error :
          Microsoft JET Database Engine error '80040e14'
          Syntax error in string in query expression '1=1--''.
          /mcartlite/productsByCategory.asp, line 114

  File strCatalog_NAME
  http://[url]/mcartlite/product.asp?intProdID=1'(SQL Injection)

  Problem Script product.asp line 102

  ---------------
  intProdID = Request.QueryString("intProdID")
  ...
  ...
  Set rsProdInfo = Conn.Execute("SELECT * FROM " & _
               "products where productID="&intProdID)
         if rsProdInfo.EOF then
               Response.Write "Product Number " & intProdID & _
                       " does not exist."
  ---------------
    
C. Solution
  Using Replace String For Filter some character
       - productsByCategory.asp        
               
         * Find
           intCatalogID = Request.QueryString("intCatalogID")
           After,add
           intCatalogID = Replace(intCatalogID,"'","")
         * Find
           strCatalog_name = Request.QueryString("strCatalog_NAME")
           After,add
           strCatalog_name = Replace(strCatalog_NAME,"<","")
       
       - product.asp
         
         * Find
           intProdID = Request.QueryString("intProdID")
           After,add
           intProdID = Replace(intProdID,"'","")
            


---------------------------------------------------------------------------

Shoutz:
~~~~~~~

~ y3dips, moby, comex, z3r0byt3, K-159, c-a-s-e, S`to, lirva32, anonymous
~ Lieur Euy , MSR
~ newbie_hacker@yahoogroups.com ,
~ #e-c-h-o@DALNET

---------------------------------------------------------------------------
Contact:
~~~~~~~~

    the_day || echo|staff || the_day[at]echo[dot]or[dot]id
    Homepage: http://theday.echo.or.id/

-------------------------------- [ EOF ] ----------------------------------
About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod

 
 


Rating@Mail.ru