[ECHO_ADV_21$2005] MUltiple Vulnarable In ActiveBuyAndSell

From: the_day_at_echo.or.id (Dedi_at_securityfocus.com)
Date: 06/24/05

  • Next message: Thomas Biege: "SUSE Security Announcement: sudo (SUSE-SA:2005:036)" 
    Date: 24 Jun 2005 11:40:32 -0000
To: bugtraq@securityfocus.com
    ('binary' encoding is not supported, stored as-is) ---------------------------------------------------------------------------
    [ECHO_ADV_21$2005] MUltiple Vulnarable In ActiveBuyAndSell
    ---------------------------------------------------------------------------

    Author: Dedi Dwianto
    Date: June, 24th 2005
    Location: Indonesia, Jakarta
    Web: http://echo.or.id/adv/adv21-theday-2005.txt

    ---------------------------------------------------------------------------

    Affected software description:
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Application : ActiveBuyAndSell
    version : 6.2
    URL : http://ActiveWebSoftwares.com
    Author : ActiveWebSoftwares
    Description :

    ActiveBuyAndSell is a Web-based application that connects people selling products
    and services with people looking to buy products and services. Uses MS SQL or
    Access database. Full ASp source code included.
            
    ---------------------------------------------------------------------------

    Vulnerabilities:
    ~~~~~~~~~~~~~~~~

    A. SQL Injection:
       
       * http://victim/ebuyandsell/default.asp?catid=[SQL inject]

       * http://victim/ebuyandsell/buyersend.asp?catid=[SQL inject]

       * http://victim/ebuyandsell/admin.asp
         In this pages vulnarable sql injection in form input
            
            POC :
                    Administrator ID :[SQL Inject]
                    Password :blank

            
       * http://victim/ebuyandsell/advertiserstart.asp

            POC :
                    E-mail Address :[SQL inject]
                    Password :blank

       * http://victim/ebuyandsell/buyer.asp

            POC :
                    E-mail :[SQL inject]
                    Password :blank

       * http://victim/ebuyandsell/search.asp

            POC :
                    Keyword :[SQL inject]

    B. Xss
      
       * http://victim/ebuyandsell/sendpassword.asp?Table=Buyer&Title=[XSS]&EmailFld=BEmail

            POC :

            http://victim/ebuyandsell/sendpassword.asp?Table=Buyer&Title=>alert('test')</script>&EmailFld=BEmail

      * http://victim/ebuyandsell/search.asp

            POC :
                    Keyword : <script>alert('dudul')</script>

       
    C. Fix

       Vendor allready contacted but still no response and i can't fix it because
       i can't view source code :lol

    ---------------------------------------------------------------------------

    Shoutz:
    ~~~~~~~

    ~ y3dips, moby, comex, z3r0byt3, K-159, c-a-s-e, S`to, lirva32, anonymous
    ~ Lieur Euy , MSR
    ~ newbie_hacker@yahoogroups.com ,
    ~ #e-c-h-o@DALNET

    ---------------------------------------------------------------------------
    Contact:
    ~~~~~~~~

         the_day || echo|staff || the_day[at]echo[dot]or[dot]id
         Homepage: http://theday.echo.or.id/

    -------------------------------- [ EOF ] ----------------------------------

  • Next message: Thomas Biege: "SUSE Security Announcement: sudo (SUSE-SA:2005:036)"