[BONSAI] SQL Injection in CS-Cart

       Bonsai Information Security - Advisory
         http://www.bonsai-sec.com/research/

               SQL Injection in CS-Cart

1. Advisory Information

Title: SQL Injection in CS-Cart
Advisory ID: BONSAI-2009-0100
Advisory URL: http://www.bonsai-sec.com/research/vulnerabilities/cs-cart_SQL-injection-0100.txt
Date published: 2009-08-04
Vendors contacted: CS-Cart
Release mode: Coordinated release

2. Vulnerability Information

Class: SQL Injection
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2009-2579

3. Software Description

CS-Cart is an "out of the box" ecommerce software solution with
easy-to-use functionality that
allows to start selling online immediately. Its feature set fits into
businesses of any size, from
a small single-product shop to a fully-featured online storefront [0].

4. Vulnerability Description

SQL injection is a code injection technique that exploits a security
vulnerability occurring in the
database layer of an application. The vulnerability is present when
user input is either
incorrectly filtered for string literal escape characters embedded in
SQL statements or user input
is not strongly typed and thereby unexpectedly executed.

For additional information, please look at references [1] and [2].

5. Vulnerable packages

Version <= 2.0.5

6. Non-vulnerable packages

CS-Cart developers informed us that all users should upgrade to the
latest version of CS-Cart,
(CS-Cart 2.0.6) which fixes this vulnerability. More information to be
found here:
http://kb2.simtech/how-to-upgrade

7. Credits

This vulnerability was discovered by Ryan Dewhurst ( ryan -at- bonsai-sec.com ).

8. Technical Description

A SQL injection vulnerability was found in the reward_points.post.php
script, more specifically in
the $sort_order variable. The vulnerability can be triggered by
logging into CS-Cart and browsing to:

/index.php?dispatch=reward_points.userlog&result_ids=pagination_contents&sort_by=timestamp&sort_order='

Which will generate a syntax error in the database. The following is
the corresponding piece of code:

reward_points.post.php:69
$userlog = db_get_array("SELECT change_id, action, timestamp, amount,
reason FROM
?:reward_point_changes WHERE user_id = ?i
ORDER BY $sort_by $sort_order
$limit", $user_id);

More information about how to exploit this SQL injection vulnerability can be
found at Bonsai's blog [3]

9. Report Timeline

   • 2009-07-06:
     Bonsai notifies CS-Cart team of the vulnerability. Technical details
     are sent to the developers.

   • 2009-07-09:
     CS-Cart acknowledges and fixes vulnerability, setting release date of
     the upgrade to 15 July 2009.

   • 2009-08-04:
     The advisory BONSAI-2009-0100 is published.

10. References

[0] http://www.cs-cart.com/
[1] http://www.owasp.org/index.php/SQL_injection
[2] http://en.wikipedia.org/wiki/SQL_injection
[3] http://www.bonsai-sec.com/blog/

11. About Bonsai

Bonsai is a company involved in providing professional computer
information security services.
Currently a sound growth company, since its foundation in early 2009
in Buenos Aires, Argentina,
we are fully committed to quality service, and focused on our
customers’ real needs.

12. Disclaimer

The contents of this advisory are copyright (c) 2009 Bonsai
Information Security, and may be
distributed freely provided that no fee is charged for this
distribution and proper credit is
given.