Document Title: =============== eClime eCommerce JE 1.0.6b - SQL Injection Vulnerabilities Release Date: ============= 2011-07-13 Vulnerability Laboratory ID (VL-ID): ==================================== 82 Product & Service Introduction: =============================== eclime is a very powerful Smarty™ based e-commerce/shopping cart software build from trusted osCommerce 2.2 engine, with many useful contributions added. It has all the features needed to run a successful internet store and can be customized to whatever configuration you need. * Secure and stable code base * Secure transactions with SSL * Lightning FAST! - Under 28 Queries per full products list page! * 100% Smarty(TM) * 100% Valid Strict XHTML * All orders stored in the database for fast and efficient retrieval * Customers can view their order history and order statuses * Customers can maintain their accounts (multiple shipping and billing addresses) * Temporary shopping cart for guests and permanent shopping cart for customers * Product reviews with advanced customizable spam filtering features * Foreseen checkout procedure * Global and per-category bestseller lists * Display what other customers have ordered with the current product shown * Breadcrumb trail for easy site navigation * Forgot password (confirmation key feature) * 100% Dynamic plugin based layout. * Available plugins: * Quick search \"auto-complete\" (with results count) and advanced search * Products auto-stretch (\'x\' number of products per row depending on the size of the window) * Dynamic product attributes relationship with attribute images * HTML based product descriptions * Image auto-thumbnails (with caching functionality) * Advanced watermarking system * Products extra images * Multiple language support * Web based admin Panel * View all products page * Wishlist * RSS feed - new products, product specials. Admin panel: * Secure and stable code base * Admin with access levels * Drag & drop plugin manager * Down for maintenance * Google site maps * Sales/tax reporting * Products/categories: o Unlimited products and categories o Unlimited products specials o Unlimited products accessories o Unlimited products extra images o Drag & drop products/categories sorting (custom sorting) o Predefined products sorting (random, date, price, name) o Inactivate/activate categories/products o Virtual products o Categories descriptions * Unlimited static content pages * Article/page manager * Multiple language support * Coupon manager * Payment Modules Included: o Google Checkout o PayPal Express Checkout o PayPal Direct Checkout o Authorize.Net Consolidated Credit Card v1.7 o osCommerce core Paypal IPN v1.1 o Linkpoint o Cash on Delivery o Standard osC Credit Card o EFS Net o GeoTrust QuickPayments o iPayment o Check/Money order o NOCHEX o PayBox Credit Card o 2CheckOut o PSIGate o SECPay * Shipping Modules Included: * Edit orders * WYSIWYG FCKeditor (supports IE, Firefox, Mozilla, Netscape) (Copy of Vendor Homepage: Abstract Advisory Information: ============================== Vulnerability-Lab discovered multiple SQL-Injection Vulnerabilities in the E-Commerce Jet Engine. Vulnerability Disclosure Timeline: ================================== 2011-00-00: Vendor Notification 2011-00-00: Vendor Response/Feedback 2011-00-00: Vendor Fix/Patch 2011-00-00: Public or Non-Public Disclosure Discovery Status: ================= Published Affected Product(s): ==================== Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ Multiple SQL vulnerabilities are detected in eclime ecommerce jet engine. The vulnerability allows an remote attacker to inject own sql statements on a vulnerable application parameter request. Vulnerable Module(s): [+] manufacturers_id --- SQL Error Logs --- Example Error: 1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near -1 at line 1 SELECT count(p.products_id) as total FROM products_description pd, products p LEFT JOIN manufacturers m ON p.manufacturers_id = m.manufacturers_id LEFT JOIN specials s ON (p.products_id = s.products_id AND s.customers_group_id = \/0\/), products_to_categories p2c WHERE p.products_status = /1/ AND p.manufacturers_id = m.manufacturers_id AND m.manufacturers_id = / Vulnerable Module: [+] Login Form --- SQL Error Logs --- Example Error: 1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near \ \ at line 5 SELECT attempt_count FROM login_attempts WHERE ip_address = \ xx.137.23.137\ AND user_name = \ -1# \ \ AND password = \ -!#\ 1136 - Column count doesn\ t match value count at row 1 INSERT INTO `login_attempts` ( `ip_address`, `user_name`, `password`, `attempt_count`, `time_stamp` ) VALUES ( \ xx.137.23.137\ , \ \ or 1=1--\ , \ \ or 1=1--\ , 1, \ 1256536215\ ) Pictures: ../sql1.png ../sql2.png ../sql3.png Proof of Concept (PoC): ======================= The vulnerabilities can be exploited by remote attackers. For demonstration or reproduce ... Path: ../eclime/ File: manufacturers.php Para: ?manufacturers_id= Path: ../eclime/ File: login.php Example URL:[SQL-Injection][SQL-Injection] eClime - E-Commerce Jet Engine 1.0.6b [Remote SQL-Injection]

eClime - E-Commerce Jet Engine [SQL-Injection Exploit]


Vulnerability Lab ~Remove

Security Risk: ============== The security risk of the sql injection vulnerabilities are estimated as critical. Credits & Authors: ================== Vulnerability Research Laboratory Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: - - Contact: - - Section: - - Social:!/vuln_lab - - Feeds: - - Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact ( or to get a permission. Copyright © 2012 | Vulnerability Laboratory