iG Shop Input Validation Flaw in 'type_id' Permits SQL Injection and Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1009249
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Feb 28 2004
|
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Advisory: SystemSecure.org
|
Version(s): 1.4
|
Description: David Sopas Ferreira of SystemSecure.org reported a vulnerability in iG Shop. A remote user can conduct cross-site scripting and SQL injection attacks.
It is reported that the 'page.php' script does not properly validate user-supplied input in the 'type_id' field.
A remote user
can submit SQL commands to be executed by the underlying database. A demonstration exploit URL is provided:
page.php?page_type=catalog_products&type_id[]='[SQL
Injection]&SESSION_ID={SESSION_ID}&SESSION_ID=
A remote user can also create a specially crafted URL that, when loaded by a target
user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running
the iG Shop software and will run in the security context of that site. As a result, the code will be able to access the target
user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target
user via web form to the site, or take actions on the site acting as the target user. A demonstration exploit URL is provided:
page.php?page_type=catalog_products&typ
e_id[]=%3Cscript%3Ealert(document.domain);%3C/script%3E&SESSION_ID={SESSION_ID}&SESSION_ID=
The vendor has reportedly been notified.
The
original advisory is available:
http://www.systemsecure.org/advisories/ssadvisory28022004.php
|
Impact: A remote user can cause SQL commands to be executed on the underlying database.
A remote user can access the target user's cookies
(including authentication cookies), if any, associated with the site running the iG Shop software, access data recently submitted
by the target user via web form to the site, or take actions on the site acting as the target user.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.igeneric.co.uk/PHP/iG_Scripts/11.html (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: David Sopas Ferreira <iamroot@systemsecure.org>
|
Message History:
None.
|
Source Message Contents
|
Date: 28 Feb 2004 01:44:45 +0500
From: David Sopas Ferreira <iamroot@systemsecure.org>
Subject: Vulnerability
|
*SystemSecure.org Advisory*
Date: 28-02-2004
Software: iG FREE Shopping Cart v1.4
Vendor: Warned about the problem in 08-02-2004
Website: http://www.igeneric.co.uk
iG Shop is a powerful PHP MySQL based shopping cart
system that enables you create full featured online shop
very quickly.
SQL Injection:
page.php?page_type=catalog_products&type_id[]='[SQL
Injection]&SESSION_ID={SESSION_ID}&SESSION_ID=
XSS Attack:
page.php?page_type=catalog_products&type_id[]=%3Cscript%3Ealert(document.domain);%3C/script%3E&
SESSION_ID={SESSION_ID}&SESSION_ID=
This is caused by a bad filtering of the variable "type_id" in page.php file.
Solution:
Filtering type_id varible for tags and implementing some kind of isnumeric function
will do the work.
Original advisory: http://www.systemsecure.org/advisories/ssadvisory28022004.php
Discovered by David Sopas Ferreira
iamroot@systemsecure.org
/* Vendor reported */
Vendor not reported any solution.
|
|
