8th Jan 2003 [SBWID-5922]
COMMAND
a.shopKart Shopping Cart remote SQL database info leakage
SYSTEMS AFFECTED
Current ?
PROBLEM
In Ignacio Vazquez [infosecmanager@centaura.com.ar] of Centaura
Technologies Security Research Lab advisory [CTADVIIC046] :
http://www.centaura.com.ar/infosec/adv/ashopkart.txt
An attacker can access sensitive information within the system
database.
The program is vulnerable in several spots along the code. There's a
basic input checking function ( TwoSingleQ(str) ) but it's not applied
everywhere, leaving potencial exploitable holes.
The following statement shows the vulnerable points (taken from
addcustomer.asp).
Here "zip", "state", "country", "phone" and "fax" are unchecked for SQL
Injection vulnerabilities.
sqlAdd = "INSERT INTO customers(cfirstname,clastname,cemail,caddress"
If Request.Form("address2") <> "" Then
sqlAdd = sqlAdd & ",caddress2"
end if
sqlAdd = sqlAdd & ",ctown,czip"
If Request.Form("state") <> "" Then
sqlAdd = sqlAdd & ",cstate"
End if
sqlAdd = sqlAdd & ",ccountry,cphone"
If Request.Form("fax") <> "" Then
sqlAdd = sqlAdd & ",cfax"
End if
sqlAdd = sqlAdd & ") VALUES("
sqlAdd = sqlAdd & "'" & TwoSingleQ(fname) & "'"
sqlAdd = sqlAdd & ",'" & TwoSingleQ(lname) & "'"
sqlAdd = sqlAdd & ",'" & TwoSingleQ(email) & "'"
sqlAdd = sqlAdd & ",'" & TwoSingleQ(address) & "'"
If Request.Form("address2") <> "" Then
sqlAdd = sqlAdd & ",'" & TwoSingleQ(Request.Form("address2")) & "'"
end if
sqlAdd = sqlAdd & ",'" & TwoSingleQ(town) & "'"
sqlAdd = sqlAdd & ",'" & zip & "'"
If Request.Form("state") <> "" Then
sqlAdd = sqlAdd & ",'" & Request.Form("state") & "'"
End if
sqlAdd = sqlAdd & ",'" & country & "'"
sqlAdd = sqlAdd & ",'" & phone & "'"
If Request.Form("fax") <> "" Then
sqlAdd = sqlAdd & ",'" & Request.Form("fax") & "'"
End If
sqlAdd = sqlAdd & ")"
At least addcustomer.asp, addprod.asp, process.asp are vulnerable to
this type of attacks.
SOLUTION
?
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
