Account theft vulnerability in MakeBid Auction Deluxe 3.30

[Blake Frantz <blake () mc net>]

Date          :  February 9, 2002
Product       :  MakeBid Auction Deluxe Version 3.30
Vendor        :  USANet Creations
URL           :  http://www.netcreations.addr.com/auctiondeluxe.html
Vulnerability :  Cross site scripting vulnerability
                 Insecure Cookie Usage

Risk          :  High

Summary       :  MakeBid Auction Deluxe is a commercial PERL CGI which
                 allows web users to add items to an online auction.  The
                 following fields are not properly sanatized when placing
                 a new item on auction:

                        + City/State/Zip of new auction registrant
                        + Title Descripton of new auction item
                        + Item Description for new auction item

                 This allows an attacker to place an item on auction with
                 potentially malicious code in the description fields.
                 Thus, being executed by simply viewing the item.  
                 
                 MakeBid Auction Deluxe has the option of allowing the 
                 user to store their login credentials in a cookie.   
                 These credentials are stored in clear text.

                 In conjunction these two vulnerabilities allow an
                 attacker to steal the accounts of any auction
                 participant that utilizes the "save login" option.
                 An attacker can use the compromised account to place
                 unauthorized bids, place items on auction as other
                 users, and modify contact and payment information. 
                 This vulnerability also allows the attacker to
                 gather personal information and partial credit card data
                 from the affected accounts.

References    :  http://www.cert.org/advisories/CA-2000-02.html

Vendor Status :  Vendor has been contacted via email and a patch for the
                 Cross site scripting vulnerability is available for 
                 registered users.  Cookies are still stored in clean
                 text.

Notes         :  USANet Creations has three other products; Classified
                 Ads, Shopping Mall, and Domain Name Auction which were
                 developed on the same code base.  These products may also
                 fall victim to the same vulnerabilities.

Recommendation:  Auction administrators should download latest patch from 
                 USANet Creations.  Auction users should avoid using the 
                 "Cookie Auto Login" feature.

Feedback      :  Send comments to blake () mc net.