QuickPayPro™ 3.1 Multiple vuln.
Vuln. dicovered by : r0t
Date: 14 dec. 2005
orginal advisory:http://pridels.blogspot.com/2005/12/quickpaypro-31-multiple-vuln.html
vendor:http://quickpaypro.com/
affected version:3.1 and prior
Product Description:
QuickPayPro.com has been Online for over 3 years now, and the tools we
provide you have been refined over the last 4 & 1/2 years! We're a
member of the Better Business Bureau and the BBBOnline Reliability
Program.
We've spent over $400,000 in developement and has successfully
processed nearly $9,000,000 in live sales! It's been refined by over
5,000 users and manages over 90,000 Affiliates & 2.5 Million
Subscribers. And the entire system is tested daily by Hacker Safe.
Needless to say: This QuickPayPro is a well-oiled machine.
QuickPayPro™ contains a flaw that allows a remote sql injection
attacks.Input passed to the "popupid" "so" "sb" "nr" "subtrackingid"
"delete" "trackingid" "customerid" parameters isn't properly sanitised
before being used in a SQL query. This can be exploited to manipulate
SQL queries by injecting arbitrary SQL code
QuickPayPro™ contains a flaw that allows a remote cross site scripting
attack. This flaw exists because input passed to into mutiple field
parameters like in "/communication/subscribers.tracking.add.php"
"/support/tickets.add.php" "/mycompany/categories.php" isn't properly
sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would
execute arbitrary code in a user's browser within the trust
relationship between the browser and the server, leading to a loss of
integrity.
examples:
/communication/popups.edit.php?
popupid=[SQL]
/communication/customer.tickets.
view.php?so=[SQL]
/communication/customer.tickets.
view.php?so=ASC&sb=[SQL]
/communication/customer.tickets.
view.php?so=ASC&sb=Status&nr=[SQL]
/communication/subscribers.track
ing.edit.php?subtrackingid=[SQL]
/settings/design.php?delete=[SQL]
/tools/tracking.details.php?tra
ckingid=1[SQL]
/mycompany/sales.view.php?custo
merid=1[SQL]
Solution:
Edit the source code to ensure that input is properly sanitised.