Account theft vulnerability in MakeBid Auction Deluxe 3.30

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




Date          :  February 9, 2002
Product       :  MakeBid Auction Deluxe Version 3.30
Vendor        :  USANet Creations
URL           :  http://www.netcreations.addr.com/auctiondeluxe.html
Vulnerability :  Cross site scripting vulnerability
                 Insecure Cookie Usage

Risk          :  High

Summary       :  MakeBid Auction Deluxe is a commercial PERL CGI which
                 allows web users to add items to an online auction.  The
                 following fields are not properly sanatized when placing
		 a new item on auction:

			+ City/State/Zip of new auction registrant
			+ Title Descripton of new auction item
			+ Item Description for new auction item

		 This allows an attacker to place an item on auction with
		 potentially malicious code in the description fields.
		 Thus, being executed by simply viewing the item.  
		 
		 MakeBid Auction Deluxe has the option of allowing the 
		 user to store their login credentials in a cookie.   
		 These credentials are stored in clear text.

		 In conjunction these two vulnerabilities allow an
		 attacker to steal the accounts of any auction
         	 participant that utilizes the "save login" option.
		 An attacker can use the compromised account to place
		 unauthorized bids, place items on auction as other
		 users, and modify contact and payment information. 
		 This vulnerability also allows the attacker to
		 gather personal information and partial credit card data
		 from the affected accounts.

References    :  http://www.cert.org/advisories/CA-2000-02.html

Vendor Status :  Vendor has been contacted via email and a patch for the
		 Cross site scripting vulnerability is available for 
		 registered users.  Cookies are still stored in clean
		 text.

Notes         :  USANet Creations has three other products; Classified
                 Ads, Shopping Mall, and Domain Name Auction which were
		 developed on the same code base.  These products may also
		 fall victim to the same vulnerabilities.

Recommendation:  Auction administrators should download latest patch from 
		 USANet Creations.  Auction users should avoid using the 
		 "Cookie Auto Login" feature.

Feedback      :  Send comments to blake@mc.net.







[Index of Archives]     [Linux Security]     [Netfilter]     [PHP]     [Yosemite News]     [Linux Kernel]

  Powered by Linux