OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Blake Frantz (blakemc.net)
Date: Sat Feb 09 2002 - 11:02:36 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Date : February 9, 2002
    Product : MakeBid Auction Deluxe Version 3.30
    Vendor : USANet Creations
    URL : http://www.netcreations.addr.com/auctiondeluxe.html
    Vulnerability : Cross site scripting vulnerability
                     Insecure Cookie Usage

    Risk : High

    Summary : MakeBid Auction Deluxe is a commercial PERL CGI which
                     allows web users to add items to an online auction. The
                     following fields are not properly sanatized when placing
                     a new item on auction:

                            + City/State/Zip of new auction registrant
                            + Title Descripton of new auction item
                            + Item Description for new auction item

                     This allows an attacker to place an item on auction with
                     potentially malicious code in the description fields.
                     Thus, being executed by simply viewing the item.
                     
                     MakeBid Auction Deluxe has the option of allowing the
                     user to store their login credentials in a cookie.
                     These credentials are stored in clear text.

                     In conjunction these two vulnerabilities allow an
                     attacker to steal the accounts of any auction
                      participant that utilizes the "save login" option.
                     An attacker can use the compromised account to place
                     unauthorized bids, place items on auction as other
                     users, and modify contact and payment information.
                     This vulnerability also allows the attacker to
                     gather personal information and partial credit card data
                     from the affected accounts.

    References : http://www.cert.org/advisories/CA-2000-02.html

    Vendor Status : Vendor has been contacted via email and a patch for the
                     Cross site scripting vulnerability is available for
                     registered users. Cookies are still stored in clean
                     text.

    Notes : USANet Creations has three other products; Classified
                     Ads, Shopping Mall, and Domain Name Auction which were
                     developed on the same code base. These products may also
                     fall victim to the same vulnerabilities.

    Recommendation: Auction administrators should download latest patch from
                     USANet Creations. Auction users should avoid using the
                     "Cookie Auto Login" feature.

    Feedback : Send comments to blakemc.net.