[转载]MetaCart e-Shop多个脚本注入漏洞
信息来源:[url]www.securiteam.com[/url]Summary
MetaCart e-Shop is a "shopping cart application for small businesses and support MSSQL, MS Access and MySQL". The MetaCart e-Shop product has been found to contain multiple vulnerabilities ranging from cross site scripting to SQL injection attacks.
Credit:
The information has been provided by dedi dwianto.
The original article can be found at: [url]http://echo.or.id/adv/adv13-theday-2005.txt[/url]
Details
Cross-Site Scripting (XSS)
By issuing a URL such as the following:
http://[url]/mcartlite/productsByCategory.asp?intCatalogID=1 &strCatalog_NAME=<script>alert('test')</script>
An attacker can cause the remote host to include arbitrary HTML and/or JavaScript.
Vulnerable code in productsByCategory.asp:
strCatalog_name = Request.QueryString("strCatalog_NAME")
...
...
strParam = Response.Write (rsCatalog("catalogID")) &strCatalog_NAME=Response.Write
(Server.URLEncode(rsCatalog("catalogName"))) &rsCatalog("catalogName")
SQL Injection
By issuing any of the following URLs:
http://[url]/mcartlite/productsByCategory.asp?strSubCatalogID=2'(Sql Injection)
http://[url]/mcartlite/product.asp?intProdID=1'(SQL Injection)
An attacker can cause the remote host to include arbitrary SQL statements into the product's existing SQL statements.
Vulnerable code in productsByCategory.asp:
intCatalogID = Request.QueryString("intCatalogID")
...
...
' Build SQL String using the parameters
strSQL = "SELECT productID,productName,productPrice FROM products WHERE catalogID = '"&strParam&"'"
Vulnerable code in product.asp:
intProdID = Request.QueryString("intProdID")
...
...
Set rsProdInfo = Conn.Execute("SELECT * FROM " & _
"products where productID="&intProdID)
if rsProdInfo.EOF then
Response.Write "Product Number " & intProdID & _
" does not exist."
Solution:
For productsByCategory.asp do the following:
* Find:
intCatalogID = Request.QueryString("intCatalogID")
After it add:
intCatalogID = Replace(intCatalogID,"'","")
* Find:
strCatalog_name = Request.QueryString("strCatalog_NAME")
After it add:
strCatalog_name = Replace(strCatalog_NAME,"<","")
For products.asp do the following:
* Find:
intProdID = Request.QueryString("intProdID")
After it add:
intProdID = Replace(intProdID,"'","")
页:
[1]