Bonsai Information Security - Vulnerability Research

Multiple SQL Injection in TornadoStore 1.4.3



1. Advisory Information

Advisory ID: BONSAI-2010-0106
Date published: 2010-06-29
Vendors contacted: TornadoStore
Release mode: Coordinated release


2. Vulnerability Information

Class: Multiple Cross Site Scripting (XSS)
Remotely Exploitable: Yes
Locally Exploitable: YES
CVE Name: CVE-2010-1327


3. Software Description

TornadoStore™ is an ecommerce platform. The objective is to solve integrally the commercialization of products and services of companies using an online payment system. [0]


4. Vulnerability Description

SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed.

For additional information, please look at the references [1], [2] and [3].


5. Vulnerable packages

TornadoStore:
    - Version <= 1.4.3

6. Non-vulnerable packages

TornadoStore developers did not fix this vulnerability. More information to be found here:

[0].



7. Credits

These vulnerabilities were discovered by Lucas Apa ( lucas -at- bonsai-sec.com ).


8. Technical Description

8.1 A SQL injection vulnerability was found in the abm_list.php script, more specifically in the 'where' variable. The vulnerability can be triggered by logging into TornadoStore Control Panel and browsing to:


http://www.example.com/control/abm_list.php3?db=ts_143&tabla=delivery_courier&tabla_det=delivery_costo&order=&ordor=&tit=&transporte=&ira=&pagina=1&det_order=nDeCSer&det_ordor=asc&txtBuscar=&vars=&where='

8.2 A Blind SQL injection vulnerability was found in the precios.php script, more specifically in the 'marca' variable. The vulnerability can be triggered by browsing to:

http://www.example.com/precios.php3?marca=12'

9. Report Timeline

  1. 2010-02-02:
  2. Vulnerabilities were identified.

  3. 2010-02-08:
  4. Vendor confirmed these vulnerabilities.

  5. 2010-02-16:
  6. Vendor contacted for an approximate fix release date. No specific answer given.

  7. 2010-03-10:
  8. Vendor contacted for an approximate fix release date. No specific answer given

  9. 2010-06-24:
  10. The vulnerability is still there.

  11. 2010-06-29:
  12. The advisory BONSAI-2010-0106 is published.


10. References

[0] http://www.tornadostore.com

[1] http://www.owasp.org/index.php/Cross_site_scripting

[2] http://www.bonsai-sec.com/research/


11. About Bonsai

Bonsai is a company involved in providing professional computer information security services. Currently a sound growth company, since its foundation in early 2009 in Buenos Aires, Argentina, we are fully committed to quality service, and focused on our customers real needs.


12. Disclaimer

The contents of this advisory are copyright (c) 2010 Bonsai Information Security, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.