bug report comersus Back Office Lite 6.0 and 6.0.1

• Previous message: Joxean Koret: "Various Buffer Overflows in Oracle 10g Tools"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: bugtraq@securityfocus.com
Date: Fri, 21 Jan 2005 17:07:54 +0100

Software: Comersus ASP Shopping Cart
Version: 6.0 Free version containing BackOffice Lite 6.0 and 6.01
Vendor: Comersus

1. Software Description
   --------------------
Comersus ASP shopping cart is a set of ASP scripts creating an online
shoppingcart.
It works on a database of your own choosing, default is msaccess, and
includes online
administration tools.

2. Vulnerability description
   -------------------------
     - bypassing administrator login
     - SQL injection
     - Design flaw
     - Cross Site Scripting

1. Bypassing the administrator login
   ----------------------------------
File: /backofficelite/comersus_backoffice_install10.asp
This file is the last step in the installation sequence of the ASP web Cart.
One doesn't have to be a shoppingcart administrator to execute this file.
Besides setting the value of some variables, it also contains the following
code:
        session("admin")=1
registering the current session as having administrator rights on the
shopping cart
software.
So by running this script one gives oneself full right to all the scripts,
including
scripts to enter any SQL command, decrypt passwords, etc...

Workaround: deleting the file after install or renaming it.

2. Possible SQL injection
   ----------------------
File: /store/default.asp
If the option pIndexVisitsCounter is setto -1 (not default), this script
will add a line to the database:

         mySQL="INSERT INTO visits (userIp, referrer, visitDate, visitTime,
idStore)
         VALUES ('"&pUserIp&"','"&pReferrer&"','"&pVisitDate&"','"&pVisitTime&"',"
&pIdStore& ")"

Interesting here is the pReferrer variable, which is loaded as follows:

        pReferrer = request.ServerVariables("HTTP_Referer")

No further data validation is done on the mySQL string before it is send to
the database
for processing. This allows the attacker to create his own HTTP GET request
ans entering SQL
code into the referer field, e.g.:

                  GET /comersus/store/default.asp HTTP/1.1
                  Referer: <SQLCODE HERE>

Workaround: disable visitor logging (pIndexVisitsCounter=0)or add input
check when loading pReferrer

3. Design Flaw
   -----------
Passwords are stored encrypted inside the database. Seeing that this
software is Open Source,
the encryption and decryption algorythms or not unknown. The only thing an
attacker needs when he
has obtained the passwords from the database, is the Encryption Key.
Assuming the attacker has
access to the database (he obtained the encrypted password), he also has
access to this key because
it is stored inside the same database.

Workaround: store the key in another place.

4. Cross site scripting attack
   ---------------------------
File: -comersus/backofficelite/comersus_supportError.asp
      -comersus/backofficelite/comersus_backofficelite_supportError.asp

example given:
http://host/comersus/backofficelite/comersus_supportError.asp?error=>alert('hi%20mum');</script>

5. Additional Information
   ----------------------
The vendor was first contacted on 17-01-2005, update of this file wa sent on
19-01-2005
Posted to BugTraq on: not yet posted
The vendor patched security holes and released version 6.0.2 on 19-01-2005,
download it at
www.comersus.com. Their swift response is recomendable.

Comersus advisory:
http://www.comersus.org/forum/displayMessage.asp?mid=32753

           <!---I would like to thank the Vendor for supporting Open
Source.=--!>

_________________________________________________________________
Je auto snel en makkelijk online verkopen? http://auto.msn.be/verkopen/

• Previous message: Joxean Koret: "Various Buffer Overflows in Oracle 10g Tools"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]