TUCoPS :: Web :: e-commerce, shopping carts

TUCoPS :: Web :: e-commerce, shopping carts :: hack0608.htm
CactuSoft CactuShop v5.x shopping cart software multiple security vulnerabilities

CactuSoft CactuShop v5.x shopping cart software multiple security vulnerabilities S-Quadra Advisory #2004-03-31 Topic: CactuSoft CactuShop v5.x shopping cart software multiple security vulnerabilities Severity: High Vendor URL: http://www.cactushop.com Advisory URL: http://www.s-quadra.com/advisories/Adv-20040331.txt Release date: 31 Mar 2004 1. DESCRIPTION CactuShop is an ASP application for running an e-commerce web site. It incorporates a databased catalogue system, front end pages for product navigation, back end pages for updating product details and robust basket code for memorizing product selections as a visitor moves around the web site. ASP software is designed to run on a Microsoft NT or Win 2000 server and to use MS Access, MS SQL Server or MySQL as a backend. Please visit http://www.cactushop.com for information about CactuShop shopping cart. 2. DETAILS -- Vulnerability 1: SQL Injection vulnerability An SQL Injection vulnerability has been found in following scripts : 'mailorder.asp' and 'payonline.asp'. User supplied input parameter is 'strItems' not filtered before being used in an SQL query. Thus the query modification through malformed input is possible. Successful exploitation of this vulnerability can enable an attacker to execute commands in the system (via MS SQL xp_cmdshell function). -- Vulnerability 2: Cross Site Scripting vulnerability found in 'largeimage.asp'script By injecting specially crafted javascript code in url and tricking a user to visit it a remote attacker can steal user session id and gain access to user's personal data. --PoC code --Vulnerability 1: Platform: MS SQL Server as a backend Posting this data to 'payonline.asp' executes 'dir c:' command strAgain=yes&CD_EmailAddress=dummy@someemailservice.com&C D_Password=& CD_AffiliateID=&CD_CardholderCountry=200&CD_ShippingCountry=200& CD_ShippingPostcode=&strPaymentSystem=email&CP_CouponCode=&numLanguageID=1& numCurrencyID=1&numItemCount=2&strItems=214;+exec+master..xp_cmdshell+'dir+c:'--z165z& strQuantities=6z2z&numShipMethod=1&btnProceed=Proceed -- Vulnerability 2: http://[target]/popuplargeimage.asp?strImageTag= 3. FIX INFORMATION 11 Mar 2004: S-Quadra alerted CactuSoft (CactuShop developers) on these issues. 15 Mar 2004: CactuSoft response: "1) SQL Injection On payonline.asp and all mailorder pages the strItems field is now parsed for single-quote (') characters before being used with database queries. Single quotes are escaped (replaced with 2 single-quotes) to ensure SQL Injection won't work. 2) Javascript Injection The strImageTag field is parse for HTML tags characters (< and >) and are removed from the string. This should ensure against