TUCoPS :: Web :: Apps :: web5086.htm

MakeBid CGI cross site scripting vulnerability and insecure cookie usage
11th Feb 2002 [SBWID-5086]
COMMAND

	MakeBid cross site scripting vulnerability and insecure cookie usage

SYSTEMS AFFECTED

	MakeBid Auction Deluxe Version 3.30

PROBLEM

	Blake Frantz posted :
	

	MakeBid Auction Deluxe is a commercial PERL CGI which allows  web  users
	to add items  to  an  online  auction.  The  following  fields  are  not
	properly sanatized when placing a new item on auction:
	 

	 + City/State/Zip of new auction registrant

	 + Title Descripton of new auction item

	 + Item Description for new auction item

	

	This allows an attacker to place an item  on  auction  with  potentially
	malicious code in  the  description  fields.  Thus,  being  executed  by
	simply viewing the item.
	 

	MakeBid Auction Deluxe has the option of  allowing  the  user  to  store
	their login credentials in a cookie. These  credentials  are  stored  in
	clear text.
	

	In conjunction these two vulnerabilities allow an attacker to steal  the
	accounts of any auction participant that  utilizes  the  \"save  login\"
	option.  An  attacker  can  use  the  compromised   account   to   place
	unauthorized bids, place items on auction as  other  users,  and  modify
	contact and payment information.  This  vulnerability  also  allows  the
	attacker to gather personal information and  partial  credit  card  data
	from the affected accounts.

SOLUTION

	Patch available for cross site scrippting specific bugs :
	

	http://www.netcreations.addr.com/auctiondeluxe.html

	

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH