Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
Q-Shop ASP Shopping Cart Input Validation Holes Let Remote Users Inject SQL Commands
|
|
SecurityTracker Alert ID: 1008837 |
|
SecurityTracker URL: http://securitytracker.com/id/1008837
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jan 24 2004
|
Impact:
Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
|
Exploit Included: Yes
|
|
Description:
Some vulnerabilities were reported in Q-Shop. A remote user can inject SQL commands and can conduct cross-site scripting attacks.
S-Quadra reported that the search.asp, browse.asp, details.asp, showcat.asp, users.asp, addtomylist.asp, modline.asp, cart.asp, and newuser.asp scripts do not properly validate user-supplied input. A remote user can inject SQL commands to be executed by the underlying database. A remote user may be able to execute arbitrary commands on the target system by invoking the xp_cmdshell function.
It is also reported that the imagezoom.asp and recommend.asp scripts do not filter HTML code from user-supplied input before displaying information based on the input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Q-Shop software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
The vendor was reportedly notified on January 16 2004.
|
Impact:
A remote user can inject SQL commands and execute operating system commands on the target system.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Q-Shop software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: quadcomm.com/qshop/ (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 23 Jan 2004 17:30:29 +0300
Subject: [Full-Disclosure] QuadComm Q-Shop ASP Shopping Cart Software multiple security vulnerabilities
|
S-Quadra Advisory #2004-01-23
Topic: QuadComm Q-Shop ASP Shopping Cart Software multiple security
vulnerabilities
Severity: High
Vendor URL: http://www.quadcomm.com
Advisory URL: http://www.s-quadra.com/advisories/Adv-20040123.txt
Release date: 23 Jan 2004
1. DESCRIPTION
Q-Shop is a shopping cart application for e-commerce enabled sites.
It's written on ASP, works on most Windows platforms and uses MS Access
or MS SQL
Server as a backend. Please visit http://www.quadcomm.com for
information about
Q-Shop shopping cart.
2. DETAILS
-- Vulnerability 1: SQL Injection vulnerabilities
An SQL Injection vulnerabilities have been found in the following scripts:
search.asp, browse.asp, details.asp, showcat.asp, users.asp,
addtomylist.asp,
modline.asp, cart.asp, newuser.asp
User supplied input is not filtered before being used in a SQL query.
Consequently,
query modification using malformed input is possible.
Successfull exploitation of this vulnerability could allow an attacker
in the worst case to execute
arbitrary commands on a target's system (via MS SQL xp_cmdshell function).
-- Vulnerability 2: Cross Site Scripting vulnerabilities
Cross Site Scripting vulnerabilities have been found in the following
scripts:
imagezoom.asp, recommend.asp
By injecting a specially crafted javascript code in url and tricking a
user to visit
it a remote attacker can steal user session id and gain access to user's
personal data.
3. FIX INFORMATION
S-Quadra alerted QuadComm development team to these issues on 16 Jan 2004.
No response has been received. No fix available at the time of writing.
4. CREDITS
Nick Gudov <cipher@s-quadra.com> is responsible for discovering
this issue.
5. ABOUT
S-Quadra offers services in computer security, penetration testing and
network assesment, web application security, source code review and
third party product
vulnerability assesment, forensic support and reverse engineering.
Security is an art and our goal is to bring responsible and high quality
security service to the IT market, customized to meet the unique needs
of each
individual client.
S-Quadra, (pronounced es quadra), is not an acronym.
It's unique, creative and innovative - just like the security services
we bring to our clients.
S-Quadra Vendor Report #2004-01-23
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
|
|
Go to the Top of This SecurityTracker Archive Page
|
