‘Multiple Vulnerabilities in Comersus BackOffice Lite’

Summary

Comersus ASP shopping cart is ‘a set of ASP scripts creating an online shopping cart. It works on a database of your own choosing, default is Microsoft Access, and includes online administration tools’.

Multiple security vulnerabilities have been discovered in the product allowing an attacker: complete access over the product by accessing a specific page, to inject arbitrary SQL statements into the program’s existing SQL statements and to cause cross site scripting vulnerabilities.’

Credit:

‘The information has been provided by raf somers.’


Details

Vulnerable Systems:
 * Comersus BackOffice Lite version 6.0
 * Comersus BackOffice Lite version 6.01

Immune Systems:
 * Comersus BackOffice Lite version 6.02

Administrative Privileges Bypassing:
The /backofficelite/comersus_backoffice_install10.asp file is the last step in the installation sequence of the ASP web Cart. One doesn’t have to be a shopping cart administrator to execute this file. Besides setting the value of some variables, it also contains the following code:
        session(‘admin’)=1
registering the current session as having administrator rights on the shopping cart software.

Therefore, by running this script one gives oneself full right to all the scripts, including scripts to enter any SQL command, decrypt passwords, etc…

Workaround:
Deleting the file after installation process has been completed.

SQL Injection in Referer String:
If the option pIndexVisitsCounter is set to -1 (this is not done by default), the /store/default.asp script will add a line to the database:
         mySQL=’INSERT INTO visits (userIp, referrer, visitDate, visitTime, idStore)
         VALUES (”&pUserIp&”,”&pReferrer&”,”&pVisitDate&”,”&pVisitTime&”,’ &pIdStore& ‘)’

Interesting here is the pReferrer variable, which is loaded as follows:
        pReferrer = request.ServerVariables(‘HTTP_Referer’)

No further data validation is done on the MySQL string before it is send to the database for processing. This allows the attacker to create his own HTTP GET request and entering SQL code into the referer field, e.g.:
                GET /comersus/store/default.asp HTTP/1.1
                Referer: <SQLCODE HERE>

Workaround:
Disable visitor logging (pIndexVisitsCounter = 0).

Cross Site Scripting:
The following two files: comersus_supportError.asp and comersus_backofficelite_supportError.asp are prone to a cross site scripting vulnerability.

Example:
http://host/comersus/backofficelite/comersus_supportError.asp?error=<script>alert(‘hi%20mum’);</script>

Vendor response:
The vendor has issued an advisory that explains what vulnerable sites should do to redeem these vulnerabilities: http://www.comersus.org/forum/displayMessage.asp?mid=32753

Categories: Windows