Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: e-commerce, shopping carts :: hack0611.htm

Spider Sales shopping cart software multiple security vulnerabilities



Spider Sales shopping cart software multiple security vulnerabilities

        S-Quadra Advisory #2004-03-03

Topic: Spider Sales shopping cart software multiple security vulnerabilities
Severity: High
Vendor URL: http://www.spidersales.com 
Advisory URL: http://www.s-quadra.com/advisories/Adv-20040303.txt 
Release date: 03 Mar 2004

1. DESCRIPTION

"Spider Sales is a powerful shopping cart solution designed for small,
medium or large enterprises who want to sale their products on the
Internet market. You can use it to build any kind of Internet shop and
virtually sell anything." spidersales.com site says. It's written on
ASP, works on most Windows platforms and uses MS Access, MS SQL Server
or MySQL Server as a backend. Please visit http://www.spidersales.com 
for more information about this shopping cart.

2. DETAILS

-- Vulnerability 1: Incorrect use of cryptography

Spider Sales shopping cart software uses RSA cryptosystem to encrypt
sensitive data before storing it in a database. The RSA cryptosystem is
a public-key cryptosystem that offers both encryption and digital
signatures (authentication). Please read
http://www.rsasecurity.com/rsalabs/faq/3-1-1.html for more information 
about RSA cryptosystem. In the Spider Sales shopping cart software the
maximum length of the modulus n is equal to 20 bits and don't have
minimum lenght limit, so it is easy for attacker to factor n into p and
q and obtain the private key d. Moreover, the private key is stored in
the same database and in the same table where a public key is. So an
attacker can decrypt any protected information if he gains access to
store's database.

-- Vulnerability 2: SQL Injection vulnerability

Substantial number of scripts in Spider Sales software don't filter
'userId' parameter, which can be used by attacker for modifying SQL
query and perform some of SQL injection attacks.

Successfull exploitation of this vulnerability could allow an attacker
to gain access to Spider Sales administrator interface and read any
information from store's database (i.e. customers private data). Also an
attacker could execute commands using xp_cmdshell function.

--PoC code

--Vulnerability 2:

Platform: MS SQL Server as a backend

The following request executes dir c: command and saves result in
c:\inetpub\wwwroot\dirc.txt file

http://[target]/Carts/Computers/viewCart.asp?userID=289322512572263 4';exec%20master..xp_cmdshell%20'dir%20c:%20>%20c:\inetpub\wwwroot\dirc.txt'--&viewID=48

3. FIX INFORMATION

S-Quadra alerted Spider Sales development team to these issues on 25
Feb 2004. No response has been received. No fix information has been
provided.

4. CREDITS

Nick Gudov  has detected above mentioned 
vulnerabilities.

5. ABOUT

S-Quadra dedicates its substantial knowledge and resources to managing
clients' IT security risks. S-Quadra audits and protection for software
and networks implent pioneering methods and ground-breaking
technologies.

           S-Quadra Advisory #2004-03-03


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH