TornadoStore 1.4.3 SQL Injection Vulnerability
Posted on 29 June 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>TornadoStore 1.4.3 SQL Injection Vulnerability</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>============================================== TornadoStore 1.4.3 SQL Injection Vulnerability ============================================== 1. *Advisory Information* Title: Multiple SQL Injection in TornadoStore 1.4.3 Advisory ID: BONSAI-2010-0106 Advisory URL: http://www.bonsai-sec.com/research/vulnerabilities/tornadostore-multiple-sql-injection-0106.php Date published: 2010-06-29 Vendors contacted: TornadoStore Release mode: Coordinated release 2. *Vulnerability Information* Class: SQL Injection Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2010-1327 3. *Software Description* TornadoStoreòÄâ is an ecommerce platform. The objective is to solve integrally the commercialization of products and services of companies using an online payment system. [0]. 4. *Vulnerability Description* SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. For additional information, please look at the references [1], [2] and [3]. 5. *Vulnerable packages* Version <= 1.4.3 6. *Non-vulnerable packages* TornadoStore developers informed us that all users should upgrade to the latest version of TornadoStore, which fixes this vulnerability. More information to be found here: http://www.tornadostore.com/ 7. *Credits* This vulnerability was discovered by Lucas Apa ( lucas -at- bonsai-sec.com ). 8. *Technical Description* 8.1 A SQL injection vulnerability was found in the abm_list.php script, more specifically in the 'where' variable. The vulnerability can be triggered by logging into TornadoStore Control Panel and browsing to: http://www.example.com/control/abm_list.php3?db=ts_143&tabla=delivery_courier&tabla_det=delivery_costo&order=&ordor=&tit=&transporte=&ira=&pagina=1&det_order=nDeCSer&det_ordor=asc&txtBuscar=&vars=&where=' 8.2 A Blind SQL injection vulnerability was found in the precios.php script, more specifically in the 'marca' variable. The vulnerability can be triggered by browsing to: http://www.example.com/precios.php3?marca=12' 9. *Report Timeline* - 2010-02-02: Vulnerabilities were identified. - 2010-02-08: Vendor confirmed these vulnerabilities. - 2010-02-16: Vendor contacted for an approximate fix release date. No specific answer given. - 2010-06-24: The vulnerability is still there. - 2010-06-29: The advisory BONSAI-2010-0106 is published. # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-06-29]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
