GeoAuctions Premier version 2.0.3 and GeoClassifieds Basic version 2.0.3 suffer from blind SQL injection flaws.
c76935fa4653ae91652bb2c25d7cb4ec847848088a52129dc8030e9f35f32c57
------=_Part_10286_255599.1153211407989
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Be kind to publish it quickly,
Regards,
Angel Team
[NewAngels Advisory #12] GeoAuctions Enterprise & Others - Blind SQL
Injection Vulnerability
============================================================================================
Vendor => http://www.geodesicsolutions.com/
Date:
Jul 15 2006
Risk = HIGH
Version:
1.0.6
Credit:
=======
NewAngels Team (newangels-team.eu) - Discovered By LBDT
Description:
GeoAuctions Enterprise is our flagship auctions software product. Html
template based, endless auctions, Standard auctions,
Dutch auctions, Feedback rating system, Fees before and after the auction,
Buy Now, Site Balance system, Invoicing system,
and much, much, more... This auction software is designed for the serious
auction site owner.
Affected file:
index.php
Blind SQL Injection in "d" parameter. If there're no acumulative feedbacks
sql injection won't be possible...
Part of /classes/browse_display_auction.php:
$this->sql_query = "select * from ".$this->user_groups_price_plans_table."
where id = ".$show->SELLER;
$seller_group_result = $db->Execute($this->sql_query);
.
.
.
.
$template = str_replace("<<FEEDBACK_LINK>>",
"<a
href=".$this->configuration_data->AUCTIONS_FILE_NAME."?a=1030&b=".$id."&d=".$show->SELLER.
"
class=display_auction_value>".stripslashes(urldecode($this->messages[102717]))."</a>",$template);
Example:
http://www.site.com/GeoAuctionsEnterprise/index.php?a=1030&b=~ID_NUMBER~&d=~SELLER~
If it says "There are no current feedbacks" injection doesn't exist... But
if there're feedbacks:
http://www.site.com/GeoAuctionsEnterprise/index.php?a=1030&b=~ID_NUMBER~&d=[SQL]
Google search -> inurl:"index.php?a=1002"
I also have seen the same one in other company softwares but with other
parameters, eg:
Soft -> GeoAuctions Premier v2.0.3 & GeoClassifieds Basic Version v2.0.3
http://www.site.com/GeoAuctions/index.php?a=2&b=[SQL]
Google search -> inurl:"index.php?a=2"
I think that the vendor must check out all his packs. because the most of
'em have this vuln.
------=_Part_10286_255599.1153211407989
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Be kind to publish it quickly,<br><br>Regards,<br><br>Angel Team<br><br>[NewAngels Advisory #12] GeoAuctions Enterprise & Others - Blind SQL Injection Vulnerability<br>============================================================================================
<br><br>Vendor => <a href="http://www.geodesicsolutions.com/">http://www.geodesicsolutions.com/</a><br><br>Date:<br>Jul 15 2006<br><br>Risk = HIGH<br><br>Version:<br>1.0.6<br><br>Credit:<br>=======<br>NewAngels Team (newangels-team.eu
) - Discovered By LBDT<br><br>Description:<br>GeoAuctions Enterprise is our flagship auctions software product. Html template based, endless auctions, Standard auctions, <br>Dutch auctions, Feedback rating system, Fees before and after the auction, Buy Now, Site Balance system, Invoicing system,
<br>and much, much, more... This auction software is designed for the serious auction site owner.<br><br>Affected file:<br>index.php<br><br>Blind SQL Injection in "d" parameter. If there're no acumulative feedbacks sql injection won't be possible...
<br><br>Part of /classes/browse_display_auction.php:<br><br>$this->sql_query = "select * from ".$this->user_groups_price_plans_table." where id = ".$show->SELLER;<br>$seller_group_result = $db->Execute($this->sql_query);
<br>.<br>.<br>.<br>.<br>$template = str_replace("<<FEEDBACK_LINK>>",<br>"<a href=".$this->configuration_data->AUCTIONS_FILE_NAME."?a=1030&b=".$id."&d=".$show->SELLER.
<br>" class=display_auction_value>".stripslashes(urldecode($this->messages[102717]))."</a>",$template);<br><br>Example:<br><a href="http://www.site.com/GeoAuctionsEnterprise/index.php?a=1030&b=~ID_NUMBER~&d=~SELLER~">
http://www.site.com/GeoAuctionsEnterprise/index.php?a=1030&b=~ID_NUMBER~&d=~SELLER~</a><br><br>If it says "There are no current feedbacks" injection doesn't exist... But if there're feedbacks:<br><br><a href="http://www.site.com/GeoAuctionsEnterprise/index.php?a=1030&b=~ID_NUMBER~&d=[SQL]">
http://www.site.com/GeoAuctionsEnterprise/index.php?a=1030&b=~ID_NUMBER~&d=[SQL]</a><br><br>Google search -> inurl:"index.php?a=1002"<br><br>I also have seen the same one in other company softwares but with other parameters, eg:
<br><br>Soft -> GeoAuctions Premier v2.0.3 & GeoClassifieds Basic Version v2.0.3<br><br><a href="http://www.site.com/GeoAuctions/index.php?a=2&b=[SQL]">http://www.site.com/GeoAuctions/index.php?a=2&b=[SQL]</a>
<br><br>Google search -> inurl:"index.php?a=2"<br><br>I think that the vendor must check out all his packs. because the most of 'em have this vuln.<br>
------=_Part_10286_255599.1153211407989--