Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Comersus Shopping Cart Undisclosed Functionality
From: evol () ruiner halo nu
Date: Wed, 28 Jul 2004 23:08:16 -0500 (CDT)

Dear Readers:

You may have heard of this application before.  Here's a few excerpts from
the chronicles of comersus shopping cart:
        1.) http://secunia.com/advisories/12026/
                "Thomas Ryan", XSS
        2.) http://www.net-security.org/vuln.php?id=3559
                "Thomas Ryan", Insecure Price Variables

So, "Tommy Ryan" is intimately familiar with this product.  In fact, he
has detailed that he has sat on 3 vulnerabilities for this product!
        (Also a nice description of his 'disclosure' process)
He has a right to be intimately familiar with this product, as he seems to
own his own (albeit lowly) security company (www.providesecurity.com)
based out of new york on 2027 East 71st Street.  His company's phone
number is [718] 444.3808.  It may also at this time be noted, that he is
an excellent graphics designer if you look on his web page.  However,
innocent looks can be decieving.

It has come to evol's attention that Tommy has been hiding bugs inside
this software and not disclosing the bugs.  Evol thinks this practice of
non-disclosure is dangerous to the internet community.  Sure one might
argue that Tommy telling his cat is not a huge risk for internet
disclosure, i stand in disagreement (i have met his cat).

So what does Evol do?  Evol comes to the rescue!  I have found the bug
that tommy did not want to tell you independently.  You can all relax now,
the internet threat level is lower.  Evol wants to make the internet
community very happy, so he's going to release the bug pro-bono.  It may
also be noted at this time, that after carefull manipulation of the data
contained in tommy's company's web-graphic and with the optimizations evol
has independently discovered in AES brute-force decryption, that it
actually contains a message.  The message is, "I have told my cat how to
get root, and the internet shall suffer my wrath".  Your welcome internet
security community.

So what is the bug you ask?  Improper input validation!  Here's an excerpt
of code:
dim mySQL, conntemp, rstemp, pEmail, pPassword
pEmail          = getUserInput(request("email"),50)
mySQL="SELECT idCustomer, idCustomerType, name, lastName FROM customers
WHERE email='" &pEmail& "' AND password='" &EnCrypt(pPassword,
pEncryptionPassword)& "' AND active=-1"
so one thinks, no problem input validation happens in get user input.  not
the case:
function getUserInput(input,stringLength)
 dim tempStr, newString, regEx
 Set regEx = New RegExp

 tempStr        = left(trim(input),stringLength)

 regEx.Pattern          = "([^A-Za-z0-9 ()  *|' _-]+)"
 regEx.IgnoreCase       = True
 regEx.Global           = True
 newString              = regEx.Replace(tempStr, "")
 Set regEx              = nothing

 ' replace due to DB hack threats
 newString      = replace(newString,"--","")
 newString      = replace(newString,";","")
 getUserInput   = newString
end function

replace due to db hack threats!  what about the single quote?  for proof
of concept, log into server with "username' OR 'hack'='hack".  The more
adventurous can turn this into command execution.

Evol likes tommy though.  Tommy publishes his own disclosure policy and
adheres to it.  Evol wants to follow suit.  Evol's disclosure policy:
1.) Find bug
2.) Drink one (1) can of red bull sugar-free
3.) Take tab, and flip back and forth counting 0-1-0-1-0-1..etc
4.) If sugar-free redbull lands on 1, give vendor notification
5.) If sugar-free redbull lands on 0, proceed to step 7
6.) Notify vendor, waste lots of time telling them the problem and don't
    make money.
7.) Publish vulnerability, get lots of hapiness and lots of time to find
    more bugs.

Fix of bug:
 newString    = replace(newString,"'","")

Disclaimer: I am allowed to change my disclosure policy.  If people
enforce laws regarding disclosure policies I will find a way to leak
vulnerabilities more slowly to the internet community whilst i live in
Africa.  In Africa, I will be able to spend all of my time researching
vulnerabilities which will significantly increase the internet threat
level.  I do not want to be evil, or malicious but I also want freedom.  I
believe G.W. Bush should interfere with these pretend legislative bodies
and give me freedom such as those he's giving to the iraqi people.  But
please if that does happen, don't let the troops strip my girlfriend
nekked and subsequently torture her worse then she ever would have gotten
tortured before.

Don't get caught in the publicity
Or caught in the hype
Hackers are, regular people minus coding all night
Searching for sloppy coding, bugs in logic

Yeah, my rapping skills are new-wave compared to eeye.

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
  • Comersus Shopping Cart Undisclosed Functionality evol (Jul 29)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]