WeBid contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the validate.php script not properly sanitizing user-supplied input to the 'cart_order_id' and 'total' parameters. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
Proof of Concept:
validate.php?toocheckout=asdf calls the toocheckout_validate() function
toocheckout_validate() takes unsanitized post input from 2 different parameters (total and cart_order_id)
toocheckout_validate() calls callback_process() if the post parameter credit_card_processed is equal to 'Y'
The unsanitized parameters are using in an UPDATE query:
$query = "UPDATE " . $DBPrefix . "users SET balance = balance + " . $payment_amount . $addquery . " WHERE id = " . $custom_id;
This allows an attacker to retrieve data using a time-based blind injection technique or by updating a pre-existing value to the output of an embedded
For example, the attacker could send the following post data to extract the name of the current database.
POST DATA: cart_order_id=*Attackers UserID*WEBID1&credit_card_processed=Y&total=1, name=(SELECT database())
The resulting query would be:
UPDATE users SET balance = balance + 1, name=(SELECT database()) WHERE id = *Attackers User ID*
Then the attacker could sign in to their account and view the requested data by going to the edit_data.php page
Disclosure Date :2013-01-09
Vendor Solution Date :2013-01-09