header-logo
Suggest Exploit
vendor:
Gold
by:
SecurityFocus
7.5
CVSS
HIGH
Arbitrary File Disclosure, Cross-Site Scripting, and SQL Injection
89, 79, 94
CWE
Product Name: Gold
Affected Version From: RadBids Gold v2
Affected Version To: Other versions may be affected as well.
Patch Exists: YES
Related CWE: N/A
CPE: auciton_software
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2005

RadBids Gold Multiple Vulnerabilities

RadBids Gold is reported prone to multiple vulnerabilities. These issues include arbitrary file disclosure, cross-site scripting, and SQL injection. A remote attacker can disclose arbitrary files. Information gathered through this issue may allow the attacker to carry out other attacks against an affected computer. The application is affected by a SQL injection vulnerability. Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation. Multiple cross-site scripting issues have been identified as well. An attacker may leverage these issues to have arbitrary script code executed in the browser of an unsuspecting user. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.

Mitigation:

Ensure that all user-supplied input is validated and filtered for malicious content. Ensure that all output is properly encoded for the context in which it is used. Ensure that all access to the application is performed over a secure channel such as SSL.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/13080/info
  
RadBids Gold is reported prone to multiple vulnerabilities. These issues include arbitrary file disclosure, cross-site scripting, and SQL injection.
  
The following specific vulnerabilities were identified:
  
A remote attacker can disclose arbitrary files. Information gathered through this issue may allow the attacker to carry out other attacks against an affected computer.
  
The application is affected by a SQL injection vulnerability. Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation.
  
Multiple cross-site scripting issues have been identified as well. An attacker may leverage these issues to have arbitrary script code executed in the browser of an unsuspecting user. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.
  
RadBids Gold v2 is reported vulnerable to these issues. Other versions may be affected as well. 

http://www.example.com/auciton_software/index.php?a=listings&mode=1&order=name&cat=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://www.example.com/auciton_software/index.php?a=listings&mode=1&order='%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&cat=

http://www.example.com/auciton_software/index.php?a=myareas&area=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

Navigation

Suggest Exploit

Services By CQR

cqrsecured