[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] VaM Shop v1.69 - Multiple Web Vulnerabilities
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2012-10-30 19:05:45
Message-ID: 50902509.9040703 () vulnerability-lab ! com
[Download RAW message or body]
Title:
======
VaM Shop v1.69 - Multiple Web Vulnerabilities
Date:
=====
2012-10-24
References:
===========
http://www.vulnerability-lab.com/get_content.php?id=730
VL-ID:
=====
730
Common Vulnerability Scoring System:
====================================
8.1
Introduction:
=============
(Vendor Website: http://vamshop.ru/ )
Abstract:
=========
The Security Effect Research Team discovered multiple Web Vulnerabilities in the VaM Shop v1.69 \
web application cms.
Report-Timeline:
================
2012-10-24: Public Disclosure
Status:
========
Published
Exploitation-Technique:
=======================
Remote
Severity:
=========
High
Details:
========
1.1
A laboratory researcher discovered a critical sql injection vulnerability in the VaM Shop v1.69 \
web application content management system. The sql vulnerability allow remote attackers to \
inject/execute own sql commands/statements on the affected VaM Shop v1.69 web application \
dbms. The vulnerability is located in the shopping_cart.php files with the bound vulnerable \
products_id parameter request. The vulnerability can be exploited by remote attackers without \
required user inter action. Successful exploitation of the vulnerability results in web \
application dbms and service compromise or stable application manipulation via sql injection.
Vulnerable Files(s):
[+] shopping_cart.php
Vulnerable Parameter(s):
[+] products_id
1.2
A laboratory researcher discovered a client side Cross Site Scripting Vulnerability in the VaM \
Shop v1.69 web application content management system. The vulnerability is located in the \
advanced_search_result.php file when processing to load script code out of the search results \
web context. Successful exploitation results in session hijacking, non -persistent account \
phishing or client side content manipulation.
Vulnerable Files(s):
[+] advanced_search_result.php
Proof of Concept:
=================
1. Blind SQL injection in shopping_cart.php in parameter product_id[].
The SQL Injection vulnerability can be exploited by remote attackers without privileged \
application user account. For demonstration or reproduce ...
PoC: POST - SQL INJECTION
/shopping_cart.php
?action=update_product
cart_delete[]=2071&cart_quantity[]=1&old_qty[]=1&products_id[]=2071'[SQL INJECTION \
VULNERABILITY] and sleep(37)%3d%27
2. Multiple Cross Site Scripting
The client side cross site scripting vulnerabilities can be exploited by remote attacker with \
medium or high required user inter action. For demonstration or reproduce ...
PoC:
/advanced_search_result.php/o" onmouseover=prompt(document.cookie) //
/shopping_cart.php?action=update_product > cart_delete[]=o" onmouseover=prompt(document.cookie) \
//
Risk:
=====
1.
The security risk of the blind sql injection vulnerability is estimated as high(+).
2.
The security risk of the client side cross site scripting vulnerability is estimated as low(+).
Credits:
========
SECURITY EFFECT [Research Team] - (http://seceffect.tumblr.com/)
Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability-Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or \
its suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - \
www.vulnerability-lab.com/register
Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - \
research@vulnerability-lab.com
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - \
news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, sourcecode, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use \
or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to \
get a permission.
Copyright © 2012 | Vulnerability Laboratory
--
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: research@vulnerability-lab.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic