Affected software: PHP pro bid v 6.04 (as at 2008-09-11)
Vendor description: The Leading Proffessional (sic) Auction Script
Software available online today written in PHP/ Mysql
Impact: SQL injection
Description:
categories.php and other pages of php pro bid accept user-supplied
order-by and ASC/DESC fields.
The software prints helpful messages too:
SQL Query: SELECT a.auction_id, a.name, a.start_price, a.max_bid,
a.nb_bids, a.currency, a.end_time, a.closed, a.bold, a.hl,
a.buyout_price, a.is_offer, a.reserve_price, a.owner_id FROM
probid_auctions a WHERE a.active=1 AND a.approved=1 AND a.closed=0 AND
a.deleted=0 AND a.list_in!='store' AND a.creation_in_progress=0 GROUP
BY a.auction_id ORDER BY (select 1)x LIMIT 0, 20
Leveraging an admin user name and password is left as an exercise to the reader.
Solution:
Timeline: