Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Servers :: netcomrc.htm

IBM NetCommerce 3 suffers known WebSphere bugs and others (others?)



Vulnerability

    NetCommerce

Affected

    IBM NetCommerce 3 (others?)

Description

    Rudi  Carell  found  following.   He  found  a  couple  of serious
    security-holes within  ibm s  so called  "netcommerce" thing which
    seems to be a mixture of websphere, net.data, servlets, jsp s  and
    db2?

    Besides  well  known  websphere-bugs  (file  thru  disclosure  and
    default-admin  passwords),  the  most  dangerous  bugs result from
    NON-existing  input  validation   within  netcommerc  s   net.data
    "macros".

    By  crafting  malformed  http-requests  it  is possible to extract
    "any" netcommerce-database-information.

    Combining   this   method    with   other    default-"netcommerce"
    funcionality (PasswordReset  for example)  it is  possible to take
    hold of so called "store-" or "site-manager"-accounts.

    Once you're  an nc-administrator  you are  allowed to  use all the
    admin-tools.  At this point youre able to up- and download  files,
    issue  op-system-commands  or  do  any  query  with  the very very
    high-privileged DB2INST1 account.

    This can lead to a possible take-over of the whole system.... Many
    "default-macros"  are  vulnerable  to  this  (classic:-)  sort  of
    attack.

    A few examples:

        1) "HowTo find Administrator Accounts"
        http://shophost.com/cgi-bin/ncommerce3/ExecMacro/orderdspc.d2w/report?order_rn=99999+union+select+shlogid+as+mestname,0+from+shopper+where+shshtyp+%3d+'A';

        2) "Passwords(crypted)"
        http://shophost.com/cgi-bin/ncommerce3/ExecMacro/orderdspc.d2w/report?order_rn=99999+union+select+shlpswd+as+mestname,0+from+shopper+where+shlogid+%3d+'ncadmin';

        3) "Password-Reminders"
        http://shophost.com/cgi-bin/ncommerce3/ExecMacro/orderdspc.d2w/report?order_rn=99999+union+select+shchaans+as+mestname,0+from+shopper+where+shlogid+%3d+'ncadmin';

    Of course "orderdspc.d2w" is not the only vulnerable macro .. it's
    just an example.  Casting between different data-types is possible
    (read the db2-man pages).

    Also it should (not proofed) be possible to query other databases.

    This has been confirmed on Net.Commerce 3.1.2.

Solution

    Nothing yet.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH