Document Title:
===============
eClime eCommerce JE 1.0.6b - SQL Injection Vulnerabilities
Release Date:
=============
2011-07-13
Vulnerability Laboratory ID (VL-ID):
====================================
82
Product & Service Introduction:
===============================
eclime is a very powerful Smarty™ based e-commerce/shopping cart software build from trusted osCommerce 2.2 engine,
with many useful contributions added. It has all the features needed to run a successful internet store and can
be customized to whatever configuration you need.
* Secure and stable code base
* Secure transactions with SSL
* Lightning FAST! - Under 28 Queries per full products list page!
* 100% Smarty(TM)
* 100% Valid Strict XHTML
* All orders stored in the database for fast and efficient retrieval
* Customers can view their order history and order statuses
* Customers can maintain their accounts (multiple shipping and billing addresses)
* Temporary shopping cart for guests and permanent shopping cart for customers
* Product reviews with advanced customizable spam filtering features
* Foreseen checkout procedure
* Global and per-category bestseller lists
* Display what other customers have ordered with the current product shown
* Breadcrumb trail for easy site navigation
* Forgot password (confirmation key feature)
* 100% Dynamic plugin based layout.
* Available plugins:
* Quick search \"auto-complete\" (with results count) and advanced search
* Products auto-stretch (\'x\' number of products per row depending on the size of the window)
* Dynamic product attributes relationship with attribute images
* HTML based product descriptions
* Image auto-thumbnails (with caching functionality)
* Advanced watermarking system
* Products extra images
* Multiple language support
* Web based admin Panel
* View all products page
* Wishlist
* RSS feed - new products, product specials.
Admin panel:
* Secure and stable code base
* Admin with access levels
* Drag & drop plugin manager
* Down for maintenance
* Google site maps
* Sales/tax reporting
* Products/categories:
o Unlimited products and categories
o Unlimited products specials
o Unlimited products accessories
o Unlimited products extra images
o Drag & drop products/categories sorting (custom sorting)
o Predefined products sorting (random, date, price, name)
o Inactivate/activate categories/products
o Virtual products
o Categories descriptions
* Unlimited static content pages
* Article/page manager
* Multiple language support
* Coupon manager
* Payment Modules Included:
o Google Checkout
o PayPal Express Checkout
o PayPal Direct Checkout
o Authorize.Net Consolidated Credit Card v1.7
o osCommerce core Paypal IPN v1.1
o Linkpoint
o Cash on Delivery
o Standard osC Credit Card
o EFS Net
o GeoTrust QuickPayments
o iPayment
o Check/Money order
o NOCHEX
o PayBox Credit Card
o 2CheckOut
o PSIGate
o SECPay
* Shipping Modules Included:
* Edit orders
* WYSIWYG FCKeditor (supports IE, Firefox, Mozilla, Netscape)
(Copy of Vendor Homepage: http://www.eclime.com/)
Abstract Advisory Information:
==============================
Vulnerability-Lab discovered multiple SQL-Injection Vulnerabilities in the E-Commerce Jet Engine.
Vulnerability Disclosure Timeline:
==================================
2011-00-00: Vendor Notification
2011-00-00: Vendor Response/Feedback
2011-00-00: Vendor Fix/Patch
2011-00-00: Public or Non-Public Disclosure
Discovery Status:
=================
Published
Affected Product(s):
====================
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
Multiple SQL vulnerabilities are detected in eclime ecommerce jet engine.
The vulnerability allows an remote attacker to inject own sql statements on a vulnerable application parameter request.
Vulnerable Module(s):
[+] manufacturers_id
--- SQL Error Logs ---
Example Error: 1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version
for the right syntax to use near -1 at line 1 SELECT count(p.products_id) as total FROM products_description pd, products p
LEFT JOIN manufacturers m ON p.manufacturers_id = m.manufacturers_id LEFT JOIN specials s ON (p.products_id = s.products_id AND
s.customers_group_id = \/0\/), products_to_categories p2c WHERE p.products_status = /1/ AND p.manufacturers_id = m.manufacturers_id
AND m.manufacturers_id = /
Vulnerable Module:
[+] Login Form
--- SQL Error Logs ---
Example Error: 1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the
right syntax to use near \ \ at line 5 SELECT attempt_count FROM login_attempts WHERE ip_address = \ xx.137.23.137\ AND user_name =
\ -1# \ \ AND password = \ -!#\
1136 - Column count doesn\ t match value count at row 1
INSERT INTO `login_attempts` ( `ip_address`, `user_name`, `password`, `attempt_count`, `time_stamp` ) VALUES
( \ xx.137.23.137\ , \ \ or 1=1--\ , \ \ or 1=1--\ , 1, \ 1256536215\ )
Pictures:
../sql1.png
../sql2.png
../sql3.png
Proof of Concept (PoC):
=======================
The vulnerabilities can be exploited by remote attackers. For demonstration or reproduce ...
Path: ../eclime/
File: manufacturers.php
Para: ?manufacturers_id=
Path: ../eclime/
File: login.php
Example URL:
http://xxx.com/eclime/manufacturers.php?manufacturers_id=[SQL-Injection]
http://xxx.com/eclime/login.php[SQL-Injection]
eClime - E-Commerce Jet Engine 1.0.6b [Remote SQL-Injection]