Centaura Technologies Security Research Lab Advisory Product Name: a.shopKart Web Shopping Cart Systems: Windows NT/2000/.NET Server Severity: High Risk Remote: Yes Category: Insuficient input checking Vendor URL: http://www.urlogy.com Advisory Author: Ignacio Vazquez Advisory URL: http://www.centaura.com.ar/infosec/adv/ashopkart.txt Revised-Date: January 9, 2003 Advisory Code: CTADVIIC046 .:Introduction a.shopKart is a free shopping cart developed in ASP. Its features include product updating, customer management, etc .: Impact An attacker can access sensitive information within the system database. This can lead to sensitive personal information disclosure, including but not limiting to credit card information, address and telephone numbers. .: Description The program is vulnerable in several spots along the code. There's a basic input checking function ( TwoSingleQ(str) ) but it's not applied everywhere, leaving potencial exploitable holes. The following statement shows the vulnerable points (taken from addcustomer.asp). Here "zip", "state", "country", "phone" and "fax" are unchecked for SQL Injection vulnerabilities. sqlAdd = "INSERT INTO customers(cfirstname,clastname,cemail,caddress" If Request.Form("address2") <> "" Then sqlAdd = sqlAdd & ",caddress2" end if sqlAdd = sqlAdd & ",ctown,czip" If Request.Form("state") <> "" Then sqlAdd = sqlAdd & ",cstate" End if sqlAdd = sqlAdd & ",ccountry,cphone" If Request.Form("fax") <> "" Then sqlAdd = sqlAdd & ",cfax" End if sqlAdd = sqlAdd & ") VALUES(" sqlAdd = sqlAdd & "'" & TwoSingleQ(fname) & "'" sqlAdd = sqlAdd & ",'" & TwoSingleQ(lname) & "'" sqlAdd = sqlAdd & ",'" & TwoSingleQ(email) & "'" sqlAdd = sqlAdd & ",'" & TwoSingleQ(address) & "'" If Request.Form("address2") <> "" Then sqlAdd = sqlAdd & ",'" & TwoSingleQ(Request.Form("address2")) & "'" end if sqlAdd = sqlAdd & ",'" & TwoSingleQ(town) & "'" sqlAdd = sqlAdd & ",'" & zip & "'" If Request.Form("state") <> "" Then sqlAdd = sqlAdd & ",'" & Request.Form("state") & "'" End if sqlAdd = sqlAdd & ",'" & country & "'" sqlAdd = sqlAdd & ",'" & phone & "'" If Request.Form("fax") <> "" Then sqlAdd = sqlAdd & ",'" & Request.Form("fax") & "'" End If sqlAdd = sqlAdd & ")" At least addcustomer.asp, addprod.asp, process.asp are vulnerable to this type of attacks. .: Official Fix Information The vendor has been contacted but no fix has been released yet. ----- Ignacio Vazquez <ivazquez@centaura.com.ar> Director of Technology Security Labs Manager Centaura Technologies http://www.centaura.com.ar
