by r0t,der4444,cembo,VietMafia

Thursday, March 02, 2006

NZ Ecommerce SQL&XSS vuln.

Vuln. discovered by : r0t
Date: 2 march 2006
vendor: www.digitalbuilder.co.nz/Product_Code_NZEcommerce.asp
affected version: latest



1.XSS

Input passed to the "action" parameter in “index.php” isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.


2. SQL

NZ Ecommerce contains a flaw that allows a remote sql injection attacks.Input passed to the "informationID" ,”ParentCategory”parameter in "index.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code


POC.

/index.php?action=Information&informationID=[SQL]
/index.php?action=DisplayOverviewproduct&ParentCategory=[SQL]


Solution:
Edit the source code to ensure that input is properly sanitised.

5 Comments:

Anonymous Anonymous told...

Nice one r0t, welcome back [again]

6:31 PM

 
Blogger DigitalBuilder told...

You have collected information about me which it seems means under the privacy act I am entitled to.

1] When did you conduct this test?
2] Who or what told you to conduct this test?
3] Where did you find out about this website?

5:00 AM

 
Blogger DigitalBuilder told...

I would welcome for you to show me that it could be used for harm, but do not cause harm with a solution and I will provide you with NZD$30.00 via direct debit or the equivelant in a money transfer.


I will also offer this to codescan.com

The first one which confirms it is entitled to the funds, and I will then attempt to resolve.

Creighton
Digital Builder

5:08 AM

 
Anonymous Anonymous told...

Privacy act, um yeah the internet is a public domain.

As for your 30$ offer maybe you should double check your english.. Not sure if you mean for us to show you how to fix the problem. Or for us to show you how to exploit the problem.
To fix the problem would require access to the source code.

congrats on writing codescan; even though its something that can be done with grep and regular expressions.

5:52 AM

 
Blogger r0t told...

me isnt back really:)
Creighton i think that you have some enough skilled coders to fix that.
And i dont think that if somebody will do for money and if will do , that will not be for 30 NZD bucks.

r0t

2:49 PM

 

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew