Re: [NOBYTES.COM: #8] Naxtor Shopping Cart 1.0 - Information Disclosure & Possible SQL Injection

To: John Cobb <johnc@xxxxxxxxxxx>
Subject: Re: [NOBYTES.COM: #8] Naxtor Shopping Cart 1.0 - Information Disclosure & Possible SQL Injection
From: Patrick Morris <pmorris@xxxxxxxxxxxxxxxxxx>
Date: Tue, 02 Aug 2005 15:14:41 -0700
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAAW9awBalVl02jSH2wQZK2tsKAAAAQAAAAjABweeUCjUCoPyp+dA5R0QEAAAAA@xxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAAW9awBalVl02jSH2wQZK2tsKAAAAQAAAAjABweeUCjUCoPyp+dA5R0QEAAAAA@xxxxxxxxxxx>
User-agent: Mozilla Thunderbird 1.0 (Windows/20041206)

Do you have any evidence that there is a real vulerability here, or areyou basing your assumption on the error messages? If it's strictlybased on the error messages, this is more of a PHP thing than one withthe shopping cart, and the information disclosure would be fixed byproperly configuring PHP not to display those errors.


John Cobb wrote:

Hello All,

I have discovered a couple of remote vulnerabilities in: Naxtor Shopping
Cart 1.0

Authors Site: http://www.naxtor.com.au/

Naxtor is described by its authors as:

Naxtor Shopping Cart is one stop solution for companies' interested in
selling merchandise online.

+-[Examples:]--------------------------------------------------+

[1]------------------------------------------------------------+

XSS:

http://www.victim.com/lost_passowrd.php?&email=<script>var%20xss=31337;alert
(xss);</script>&reset=reset

[2]------------------------------------------------------------+

Information Disclosure & Possible SQL Injection:

http://www.victim.com/shop_display_products.php?cat_id='



Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result
resource in /var/www/html/navigation.php on line 13

Warning: mysql_numrows(): supplied argument is not a valid MySQL result
resource in /var/www/html/shop_display_products.php on line 180

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result
resource in /var/www/html/shop_display_products.php on line 181


+-[Notes:]-----------------------------------------------------+

Vulnerabilities found on: 15/06/2005
Author(s) Informed on: 16/06/2005
Author(s) Response: NONE
Author(s) Fix: NONE



Regards

John Cobb

JohnC@xxxxxxxxxxx

http://www.NoBytes.com

Follow-Ups:
- Re: [NOBYTES.COM: #8] Naxtor Shopping Cart 1.0 - Information Disclosure & Possible SQL Injection
  - From: ICool

References:
- [NOBYTES.COM: #8] Naxtor Shopping Cart 1.0 - Information Disclosure & Possible SQL Injection
  - From: John Cobb

Prev by Date: Re: Quick 'n Easy FTP Server 3.0 pro / lite (buffer overflow vulnerabilities)
Next by Date: Zip 2,31 bad default file-permissions vulnerability
Previous by thread: [NOBYTES.COM: #8] Naxtor Shopping Cart 1.0 - Information Disclosure & Possible SQL Injection
Next by thread: Re: [NOBYTES.COM: #8] Naxtor Shopping Cart 1.0 - Information Disclosure & Possible SQL Injection
Index(es):
- Date
- Thread