geoauctionsSQL.txt

2006-07-20T00:00:00
ID PACKETSTORM:48393
Type packetstorm
Reporter LBDT
Modified 2006-07-20T00:00:00

Description

                                        
                                            `------=_Part_10286_255599.1153211407989  
Content-Type: text/plain; charset=ISO-8859-1; format=flowed  
Content-Transfer-Encoding: 7bit  
Content-Disposition: inline  
  
Be kind to publish it quickly,  
  
Regards,  
  
Angel Team  
  
[NewAngels Advisory #12] GeoAuctions Enterprise & Others - Blind SQL  
Injection Vulnerability  
============================================================================================  
  
Vendor => http://www.geodesicsolutions.com/  
  
Date:  
Jul 15 2006  
  
Risk = HIGH  
  
Version:  
1.0.6  
  
Credit:  
=======  
NewAngels Team (newangels-team.eu) - Discovered By LBDT  
  
Description:  
GeoAuctions Enterprise is our flagship auctions software product. Html  
template based, endless auctions, Standard auctions,  
Dutch auctions, Feedback rating system, Fees before and after the auction,  
Buy Now, Site Balance system, Invoicing system,  
and much, much, more... This auction software is designed for the serious  
auction site owner.  
  
Affected file:  
index.php  
  
Blind SQL Injection in "d" parameter. If there're no acumulative feedbacks  
sql injection won't be possible...  
  
Part of /classes/browse_display_auction.php:  
  
$this->sql_query = "select * from ".$this->user_groups_price_plans_table."  
where id = ".$show->SELLER;  
$seller_group_result = $db->Execute($this->sql_query);  
.  
.  
.  
.  
$template = str_replace("<<FEEDBACK_LINK>>",  
"<a  
href=".$this->configuration_data->AUCTIONS_FILE_NAME."?a=1030&b=".$id."&d=".$show->SELLER.  
"  
class=display_auction_value>".stripslashes(urldecode($this->messages[102717]))."</a>",$template);  
  
Example:  
http://www.site.com/GeoAuctionsEnterprise/index.php?a=1030&b=~ID_NUMBER~&d=~SELLER~  
  
If it says "There are no current feedbacks" injection doesn't exist... But  
if there're feedbacks:  
  
http://www.site.com/GeoAuctionsEnterprise/index.php?a=1030&b=~ID_NUMBER~&d=[SQL]  
  
Google search -> inurl:"index.php?a=1002"  
  
I also have seen the same one in other company softwares but with other  
parameters, eg:  
  
Soft -> GeoAuctions Premier v2.0.3 & GeoClassifieds Basic Version v2.0.3  
  
http://www.site.com/GeoAuctions/index.php?a=2&b=[SQL]  
  
Google search -> inurl:"index.php?a=2"  
  
I think that the vendor must check out all his packs. because the most of  
'em have this vuln.  
  
------=_Part_10286_255599.1153211407989  
Content-Type: text/html; charset=ISO-8859-1  
Content-Transfer-Encoding: 7bit  
Content-Disposition: inline  
  
Be kind to publish it quickly,<br><br>Regards,<br><br>Angel Team<br><br>[NewAngels Advisory #12] GeoAuctions Enterprise & Others - Blind SQL Injection Vulnerability<br>============================================================================================  
<br><br>Vendor => <a href="http://www.geodesicsolutions.com/">http://www.geodesicsolutions.com/</a><br><br>Date:<br>Jul 15 2006<br><br>Risk = HIGH<br><br>Version:<br>1.0.6<br><br>Credit:<br>=======<br>NewAngels Team (newangels-team.eu  
) - Discovered By LBDT<br><br>Description:<br>GeoAuctions Enterprise is our flagship auctions software product. Html template based, endless auctions, Standard auctions, <br>Dutch auctions, Feedback rating system, Fees before and after the auction, Buy Now, Site Balance system, Invoicing system,   
<br>and much, much, more... This auction software is designed for the serious auction site owner.<br><br>Affected file:<br>index.php<br><br>Blind SQL Injection in "d" parameter. If there're no acumulative feedbacks sql injection won't be possible...  
<br><br>Part of /classes/browse_display_auction.php:<br><br>$this->sql_query = "select * from ".$this->user_groups_price_plans_table." where id = ".$show->SELLER;<br>$seller_group_result = $db->Execute($this->sql_query);  
<br>.<br>.<br>.<br>.<br>$template = str_replace("<<FEEDBACK_LINK>>",<br>"<a href=".$this->configuration_data->AUCTIONS_FILE_NAME."?a=1030&b=".$id."&d=".$show->SELLER.  
<br>" class=display_auction_value>".stripslashes(urldecode($this->messages[102717]))."</a>",$template);<br><br>Example:<br><a href="http://www.site.com/GeoAuctionsEnterprise/index.php?a=1030&b=~ID_NUMBER~&d=~SELLER~">  
http://www.site.com/GeoAuctionsEnterprise/index.php?a=1030&b=~ID_NUMBER~&d=~SELLER~</a><br><br>If it says "There are no current feedbacks" injection doesn't exist... But if there're feedbacks:<br><br><a href="http://www.site.com/GeoAuctionsEnterprise/index.php?a=1030&b=~ID_NUMBER~&d=[SQL]">  
http://www.site.com/GeoAuctionsEnterprise/index.php?a=1030&b=~ID_NUMBER~&d=[SQL]</a><br><br>Google search -> inurl:"index.php?a=1002"<br><br>I also have seen the same one in other company softwares but with other parameters, eg:  
<br><br>Soft -> GeoAuctions Premier v2.0.3 & GeoClassifieds Basic Version v2.0.3<br><br><a href="http://www.site.com/GeoAuctions/index.php?a=2&b=[SQL]">http://www.site.com/GeoAuctions/index.php?a=2&b=[SQL]</a>  
<br><br>Google search -> inurl:"index.php?a=2"<br><br>I think that the vendor must check out all his packs. because the most of 'em have this vuln.<br>  
  
------=_Part_10286_255599.1153211407989--  
`