Multiple Vulnerabilities in MetaCart e-Shop
____________________ ___ ___ ________
\_ _____/\_ ___ \ / | \\_____ \
| __)_ / \ \// ~ \/ | \
| \\ \___\ Y / | \
/_______ / \______ /\___|_ /\_______ /
\/ \/ \/ \/
.OR.ID
ECHO_ADV_13$2005
---------------------------------------------------------------------------
Multiple Vulnerabilities in MetaCart e-Shop
---------------------------------------------------------------------------
Author: Dedi Dwianto
Date: May, 16th 2005
Location: Indonesia, Jakarta
Web: http://echo.or.id/adv/adv13-theday-2005.txt
---------------------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application : MetaCart e-Shop
version: All version of MetaCart e shop Products
url : http://www.metalinks.com
Author: MetaLinks Online Design
Description:
MetaCart e-Shop Is shopping cart application for small businesses
and support ms SQL,MS Access and MySQL.
---------------------------------------------------------------------------
Vulnerabilities:
~~~~~~~~~~~~~~~~
A. Cross-Site Scripting (XSS)
File productsByCategory.asp
http://[url]/mcartlite/productsByCategory.asp?intCatalogID=1&strCatalog_NAME=<script>alert('test')</script>
Problem Script productsByCategory.asp
--------------
strCatalog_name = Request.QueryString("strCatalog_NAME")
...
...
strParam = Response.Write (rsCatalog("catalogID"))
&strCatalog_NAME=Response.Write
(Server.URLEncode(rsCatalog("catalogName"))) &rsCatalog("catalogName")
--------------
B. SQL Injection
File productsByCategory.asp
http://[url]/mcartlite/productsByCategory.asp?strSubCatalogID=2'(Sql
Injection)
Problem Script
---------------
intCatalogID = Request.QueryString("intCatalogID")
...
...
' Build SQL String using the parameters
strSQL = "SELECT productID,productName,productPrice FROM products WHERE
catalogID = '"&strParam&"'"
---------------
Ex :
http://www.metalinks.com/mcartlite/productsByCategory.asp?strSubCatalogID=2'having
1=1--
Error :
Microsoft JET Database Engine error '80040e14'
Syntax error in string in query expression '1=1--''.
/mcartlite/productsByCategory.asp, line 114
File strCatalog_NAME
http://[url]/mcartlite/product.asp?intProdID=1'(SQL Injection)
Problem Script product.asp line 102
---------------
intProdID = Request.QueryString("intProdID")
...
...
Set rsProdInfo = Conn.Execute("SELECT * FROM " & _
"products where productID="&intProdID)
if rsProdInfo.EOF then
Response.Write "Product Number " & intProdID & _
" does not exist."
---------------
C. Solution
Using Replace String For Filter some character
- productsByCategory.asp
* Find
intCatalogID = Request.QueryString("intCatalogID")
After,add
intCatalogID = Replace(intCatalogID,"'","")
* Find
strCatalog_name = Request.QueryString("strCatalog_NAME")
After,add
strCatalog_name = Replace(strCatalog_NAME,"<","")
- product.asp
* Find
intProdID = Request.QueryString("intProdID")
After,add
intProdID = Replace(intProdID,"'","")
---------------------------------------------------------------------------
Shoutz:
~~~~~~~
~ y3dips, moby, comex, z3r0byt3, K-159, c-a-s-e, S`to, lirva32, anonymous
~ Lieur Euy , MSR
~ newbie_hacker@xxxxxxxxxxxxxxx ,
~ #e-c-h-o@DALNET
---------------------------------------------------------------------------
Contact:
~~~~~~~~
the_day || echo|staff || the_day[at]echo[dot]or[dot]id
Homepage: http://theday.echo.or.id/
-------------------------------- [ EOF ] ----------------------------------