------=_Part_10286_255599.1153211407989
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Be kind to publish it quickly,

Regards,

Angel Team

[NewAngels Advisory #12] GeoAuctions Enterprise & Others - Blind SQL
Injection Vulnerability
============================================================================================

Vendor => http://www.geodesicsolutions.com/

Date:
Jul 15 2006

Risk = HIGH

Version:
1.0.6

Credit:
=======
NewAngels Team (newangels-team.eu) - Discovered By LBDT

Description:
GeoAuctions Enterprise is our flagship auctions software product. Html
template based, endless auctions, Standard auctions,
Dutch auctions, Feedback rating system, Fees before and after the auction,
Buy Now, Site Balance system, Invoicing system,
and much, much, more... This auction software is designed for the serious
auction site owner.

Affected file:
index.php

Blind SQL Injection in "d" parameter. If there're no acumulative feedbacks
sql injection won't be possible...

Part of /classes/browse_display_auction.php:

$this->sql_query = "select * from ".$this->user_groups_price_plans_table."
where id = ".$show->SELLER;
$seller_group_result = $db->Execute($this->sql_query);
.
.
.
.
$template = str_replace("<<FEEDBACK_LINK>>",
"<a
href=".$this->configuration_data->AUCTIONS_FILE_NAME."?a=1030&b=".$id."&d=".$show->SELLER.
"
class=display_auction_value>".stripslashes(urldecode($this->messages[102717]))."</a>",$template);

Example:
http://www.site.com/GeoAuctionsEnterprise/index.php?a=1030&b=~ID_NUMBER~&d=~SELLER~

If it says "There are no current feedbacks" injection doesn't exist... But
if there're feedbacks:

http://www.site.com/GeoAuctionsEnterprise/index.php?a=1030&b=~ID_NUMBER~&d=[SQL]

Google search -> inurl:"index.php?a=1002"

I also have seen the same one in other company softwares but with other
parameters, eg:

Soft -> GeoAuctions Premier v2.0.3 & GeoClassifieds Basic Version v2.0.3

http://www.site.com/GeoAuctions/index.php?a=2&b=[SQL]

Google search -> inurl:"index.php?a=2"

I think that the vendor must check out all his packs. because the most of
'em have this vuln.

------=_Part_10286_255599.1153211407989
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Be kind to publish it quickly,<br><br>Regards,<br><br>Angel Team<br><br>[NewAngels Advisory #12] GeoAuctions Enterprise &amp; Others - Blind SQL Injection Vulnerability<br>============================================================================================
<br><br>Vendor =&gt; <a href="http://www.geodesicsolutions.com/">http://www.geodesicsolutions.com/</a><br><br>Date:<br>Jul 15 2006<br><br>Risk = HIGH<br><br>Version:<br>1.0.6<br><br>Credit:<br>=======<br>NewAngels Team (newangels-team.eu
) - Discovered By LBDT<br><br>Description:<br>GeoAuctions Enterprise is our flagship auctions software product. Html template based, endless auctions, Standard auctions, <br>Dutch auctions, Feedback rating system, Fees before and after the auction, Buy Now, Site Balance system, Invoicing system, 
<br>and much, much, more... This auction software is designed for the serious auction site owner.<br><br>Affected file:<br>index.php<br><br>Blind SQL Injection in &quot;d&quot; parameter. If there're no acumulative feedbacks sql injection won't be possible...
<br><br>Part of /classes/browse_display_auction.php:<br><br>$this-&gt;sql_query = &quot;select * from &quot;.$this-&gt;user_groups_price_plans_table.&quot; where id = &quot;.$show-&gt;SELLER;<br>$seller_group_result = $db-&gt;Execute($this-&gt;sql_query);
<br>.<br>.<br>.<br>.<br>$template = str_replace(&quot;&lt;&lt;FEEDBACK_LINK&gt;&gt;&quot;,<br>&quot;&lt;a href=&quot;.$this-&gt;configuration_data-&gt;AUCTIONS_FILE_NAME.&quot;?a=1030&amp;b=&quot;.$id.&quot;&amp;d=&quot;.$show-&gt;SELLER.
<br>&quot; class=display_auction_value&gt;&quot;.stripslashes(urldecode($this-&gt;messages[102717])).&quot;&lt;/a&gt;&quot;,$template);<br><br>Example:<br><a href="http://www.site.com/GeoAuctionsEnterprise/index.php?a=1030&amp;b=~ID_NUMBER~&amp;d=~SELLER~">
http://www.site.com/GeoAuctionsEnterprise/index.php?a=1030&amp;b=~ID_NUMBER~&amp;d=~SELLER~</a><br><br>If it says &quot;There are no current feedbacks&quot; injection doesn't exist... But if there're feedbacks:<br><br><a href="http://www.site.com/GeoAuctionsEnterprise/index.php?a=1030&amp;b=~ID_NUMBER~&amp;d=[SQL]">
http://www.site.com/GeoAuctionsEnterprise/index.php?a=1030&amp;b=~ID_NUMBER~&amp;d=[SQL]</a><br><br>Google search -&gt; inurl:&quot;index.php?a=1002&quot;<br><br>I also have seen the same one in other company softwares but with other parameters, eg:
<br><br>Soft -&gt; GeoAuctions Premier v2.0.3 &amp; GeoClassifieds Basic Version v2.0.3<br><br><a href="http://www.site.com/GeoAuctions/index.php?a=2&amp;b=[SQL]">http://www.site.com/GeoAuctions/index.php?a=2&amp;b=[SQL]</a>
<br><br>Google search -&gt; inurl:&quot;index.php?a=2&quot;<br><br>I think that the vendor must check out all his packs. because the most of 'em have this vuln.<br>

------=_Part_10286_255599.1153211407989--