From research@s-quadra.com Wed Mar 3 17:28:10 2004 From: S-Quadra Security Research To: full-disclosure , bugtraq Date: Wed, 03 Mar 2004 15:10:51 +0300 Subject: Spider Sales shopping cart software multiple security vulnerabilities S-Quadra Advisory #2004-03-03 Topic: Spider Sales shopping cart software multiple security vulnerabilities Severity: High Vendor URL: http://www.spidersales.com Advisory URL: http://www.s-quadra.com/advisories/Adv-20040303.txt Release date: 03 Mar 2004 1. DESCRIPTION "Spider Sales is a powerful shopping cart solution designed for small, medium or large enterprises who want to sale their products on the Internet market. You can use it to build any kind of Internet shop and virtually sell anything." spidersales.com site says. It's written on ASP, works on most Windows platforms and uses MS Access, MS SQL Server or MySQL Server as a backend. Please visit http://www.spidersales.com for more information about this shopping cart. 2. DETAILS -- Vulnerability 1: Incorrect use of cryptography Spider Sales shopping cart software uses RSA cryptosystem to encrypt sensitive data before storing it in a database. The RSA cryptosystem is a public-key cryptosystem that offers both encryption and digital signatures (authentication). Please read http://www.rsasecurity.com/rsalabs/faq/3-1-1.html for more information about RSA cryptosystem. In the Spider Sales shopping cart software the maximum length of the modulus n is equal to 20 bits and don't have minimum lenght limit, so it is easy for attacker to factor n into p and q and obtain the private key d. Moreover, the private key is stored in the same database and in the same table where a public key is. So an attacker can decrypt any protected information if he gains access to store's database. -- Vulnerability 2: SQL Injection vulnerability Substantial number of scripts in Spider Sales software don't filter 'userId' parameter, which can be used by attacker for modifying SQL query and perform some of SQL injection attacks. Successfull exploitation of this vulnerability could allow an attacker to gain access to Spider Sales administrator interface and read any information from store's database (i.e. customers private data). Also an attacker could execute commands using xp_cmdshell function. --PoC code --Vulnerability 2: Platform: MS SQL Server as a backend The following request executes dir c: command and saves result in c:\inetpub\wwwroot\dirc.txt file http://[target]/Carts/Computers/viewCart.asp?userID=2893225125722634';exec%20master..xp_cmdshell%20'dir%20c:%20>%20c:\inetpub\wwwroot\dirc.txt'--&viewID=48 3. FIX INFORMATION S-Quadra alerted Spider Sales development team to these issues on 25 Feb 2004. No response has been received. No fix information has been provided. 4. CREDITS Nick Gudov has detected above mentioned vulnerabilities. 5. ABOUT S-Quadra dedicates its substantial knowledge and resources to managing clients' IT security risks. S-Quadra audits and protection for software and networks implent pioneering methods and ground-breaking technologies. S-Quadra Advisory #2004-03-03