by r0t,der4444,cembo,VietMafia

Wednesday, December 14, 2005

QuickPayPro™ 3.1 Multiple vuln.

QuickPayPro™ 3.1 Multiple vuln.

Vuln. dicovered by : r0t
Date: 14 dec. 2005
vendor:http://quickpaypro.com/
affected version:3.1 and prior


Product Description:

QuickPayPro.com has been Online for over 3 years now, and the tools we provide you have been refined over the last 4 & 1/2 years! We're a member of the Better Business Bureau and the BBBOnline Reliability Program.
We've spent over $400,000 in developement and has successfully processed nearly $9,000,000 in live sales! It's been refined by over 5,000 users and manages over 90,000 Affiliates & 2.5 Million Subscribers. And the entire system is tested daily by Hacker Safe. Needless to say: This QuickPayPro is a well-oiled machine.



1. SQL inj. vuln.

QuickPayPro™ contains a flaw that allows a remote sql injection attacks.Input passed to the "popupid" "so" "sb" "nr" "subtrackingid" "delete" "trackingid" "customerid" parameters isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code


2. XSS attack vuln.

QuickPayPro™ contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to into mutiple field parameters like in "/communication/subscribers.tracking.add.php" "/support/tickets.add.php" "/mycompany/categories.php" isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

examples:
/communication/popups.edit.php?
popupid=[SQL]

/communication/customer.tickets.
view.php?so=[SQL]

/communication/customer.tickets.
view.php?so=ASC&sb=[SQL]

/communication/customer.tickets.
view.php?so=ASC&sb=Status&nr=[SQL]

/communication/subscribers.track
ing.edit.php?subtrackingid=[SQL]

/settings/design.php?delete=[SQL]

/tools/tracking.details.php?tra
ckingid=1[SQL]

/mycompany/sales.view.php?custo
merid=1[SQL]


Solution:
Edit the source code to ensure that input is properly sanitised.

0 Comments:

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew