Date : February 9, 2002 Product : MakeBid Auction Deluxe Version 3.30 Vendor : USANet Creations URL : http://www.netcreations.addr.com/auctiondeluxe.html Vulnerability : Cross site scripting vulnerability Insecure Cookie Usage Risk : High Summary : MakeBid Auction Deluxe is a commercial PERL CGI which allows web users to add items to an online auction. The following fields are not properly sanatized when placing a new item on auction: + City/State/Zip of new auction registrant + Title Descripton of new auction item + Item Description for new auction item This allows an attacker to place an item on auction with potentially malicious code in the description fields. Thus, being executed by simply viewing the item. MakeBid Auction Deluxe has the option of allowing the user to store their login credentials in a cookie. These credentials are stored in clear text. In conjunction these two vulnerabilities allow an attacker to steal the accounts of any auction participant that utilizes the "save login" option. An attacker can use the compromised account to place unauthorized bids, place items on auction as other users, and modify contact and payment information. This vulnerability also allows the attacker to gather personal information and partial credit card data from the affected accounts. References : http://www.cert.org/advisories/CA-2000-02.html Vendor Status : Vendor has been contacted via email and a patch for the Cross site scripting vulnerability is available for registered users. Cookies are still stored in clean text. Notes : USANet Creations has three other products; Classified Ads, Shopping Mall, and Domain Name Auction which were developed on the same code base. These products may also fall victim to the same vulnerabilities. Recommendation: Auction administrators should download latest patch from USANet Creations. Auction users should avoid using the "Cookie Auto Login" feature. Feedback : Send comments to blake@mc.net.
