Wednesday 27 June 2007

rwAuction Pro XSS vuln.

###############################################
Vuln. discovered by : r0t
Date: 27 June 2007
vendor:http://www.rainworx.com/
affected versions:rwAuction Pro v5.0
other versions also can be affected.
###############################################

rwAuction Pro contains a flaw that allows a remote Cross-Site Scripting attacks.Input passed to the "search","show","searchtype","catid","searchtxt" parameter in "search.asp" isn't properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.


Note: Input in "searchtxt" parameter was vuln. already in rwAuction Pro 4.x and still unpatched in 5.0 version.
ref:http://secunia.com/advisories/17905/
###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################

2 comments:

gman said...

I just tested this out in our online demo;
http://www.rainworx.com/rwAuction50/search.asp?searchtxt=[script]alert(‘XSS%20attack’)[/script]

(replace [] above with <>)

The input is sanitized, I don't understand. Please provide more details so we can recreate what you are finding. Thank you
- Steve Gorman
RainWorx Software

r0t said...

Hallo Steve,
here: http://en.wikipedia.org/wiki/XSS

you can read more about XSS.


In rwAuction Pro case you can prove results with this input: %22%3Cscript%3Ealert('r0t')%3C/script%3E