[24223] in bugtraq
Account theft vulnerability in MakeBid Auction Deluxe 3.30
daemon@ATHENA.MIT.EDU (Blake Frantz)
Sat Feb 9 16:31:27 2002
Date: Sat, 9 Feb 2002 11:02:36 -0600 (CST)
From: Blake Frantz <blake@mc.net>
To: bugtraq@securityfocus.com
Cc: blake@packethack.com
Message-ID: <Pine.BSI.4.05L.10202081010530.26850-100000@maxx.mc.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Date : February 9, 2002
Product : MakeBid Auction Deluxe Version 3.30
Vendor : USANet Creations
URL : http://www.netcreations.addr.com/auctiondeluxe.html
Vulnerability : Cross site scripting vulnerability
Insecure Cookie Usage
Risk : High
Summary : MakeBid Auction Deluxe is a commercial PERL CGI which
allows web users to add items to an online auction. The
following fields are not properly sanatized when placing
a new item on auction:
+ City/State/Zip of new auction registrant
+ Title Descripton of new auction item
+ Item Description for new auction item
This allows an attacker to place an item on auction with
potentially malicious code in the description fields.
Thus, being executed by simply viewing the item.
MakeBid Auction Deluxe has the option of allowing the
user to store their login credentials in a cookie.
These credentials are stored in clear text.
In conjunction these two vulnerabilities allow an
attacker to steal the accounts of any auction
participant that utilizes the "save login" option.
An attacker can use the compromised account to place
unauthorized bids, place items on auction as other
users, and modify contact and payment information.
This vulnerability also allows the attacker to
gather personal information and partial credit card data
from the affected accounts.
References : http://www.cert.org/advisories/CA-2000-02.html
Vendor Status : Vendor has been contacted via email and a patch for the
Cross site scripting vulnerability is available for
registered users. Cookies are still stored in clean
text.
Notes : USANet Creations has three other products; Classified
Ads, Shopping Mall, and Domain Name Auction which were
developed on the same code base. These products may also
fall victim to the same vulnerabilities.
Recommendation: Auction administrators should download latest patch from
USANet Creations. Auction users should avoid using the
"Cookie Auto Login" feature.
Feedback : Send comments to blake@mc.net.
