Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: e-commerce, shopping carts :: sb5922.htm

a.shopKart Shopping Cart remote SQL database info leakage



8th Jan 2003 [SBWID-5922]
COMMAND

	a.shopKart Shopping Cart remote SQL database info leakage

SYSTEMS AFFECTED

	Current ?

PROBLEM

	In  Ignacio   Vazquez   [infosecmanager@centaura.com.ar]   of   Centaura
	Technologies Security Research Lab advisory [CTADVIIC046] :
	
	 http://www.centaura.com.ar/infosec/adv/ashopkart.txt
	
	
	An  attacker  can  access  sensitive  information  within   the   system
	database.
	
	The program is vulnerable in several spots along  the  code.  There's  a
	basic input checking function ( TwoSingleQ(str) ) but it's  not  applied
	everywhere, leaving potencial exploitable holes.
	
	The  following  statement  shows  the  vulnerable  points  (taken   from
	addcustomer.asp).
	
	Here "zip", "state", "country", "phone" and "fax" are unchecked for  SQL
	Injection vulnerabilities.
	
	sqlAdd = "INSERT INTO customers(cfirstname,clastname,cemail,caddress"
		If Request.Form("address2") <> "" Then
			sqlAdd = sqlAdd & ",caddress2"
		end if
		sqlAdd = sqlAdd & ",ctown,czip"
		If Request.Form("state") <> "" Then
			sqlAdd = sqlAdd & ",cstate"
		End if
		sqlAdd = sqlAdd & ",ccountry,cphone"
		If Request.Form("fax") <> "" Then
			sqlAdd = sqlAdd & ",cfax"
		End if
		sqlAdd = sqlAdd & ") VALUES("
		sqlAdd = sqlAdd & "'" & TwoSingleQ(fname) & "'"
		sqlAdd = sqlAdd & ",'" & TwoSingleQ(lname) & "'"
		sqlAdd = sqlAdd & ",'" & TwoSingleQ(email) & "'"
		sqlAdd = sqlAdd & ",'" & TwoSingleQ(address) & "'"
		If Request.Form("address2") <> "" Then
		sqlAdd = sqlAdd & ",'" & TwoSingleQ(Request.Form("address2")) & "'"
		end if
		sqlAdd = sqlAdd & ",'" & TwoSingleQ(town) & "'"
		sqlAdd = sqlAdd & ",'" & zip & "'"
		If Request.Form("state") <> "" Then
			sqlAdd = sqlAdd & ",'" & Request.Form("state") & "'"
		End if
		sqlAdd = sqlAdd & ",'" & country & "'"
		sqlAdd = sqlAdd & ",'" & phone & "'"
		If Request.Form("fax") <> "" Then
			sqlAdd = sqlAdd & ",'" & Request.Form("fax") & "'"
		End If
		sqlAdd = sqlAdd & ")"
		
	At least addcustomer.asp, addprod.asp,  process.asp  are  vulnerable  to
	this type of attacks.

SOLUTION

	?


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH