Auction software has flaws, be careful.

Hi again,

I was doing some poking around for something new to talk about and came across the National Vulnerability Database. I found information that might be valuable to online auction participants and thought I would share it with you.

The National Vulnerability Database has identified a vendor of auction, banner exchange, link and ad management as having a flaws ranging from medium to high. To be brief, the SoftBiz suite of products has been identified to have serious security gaps. I haven’t contacted SoftBiz directly, but there are references to the problem areas in the NVD. The references follow.

Please be careful where you do your business. I’m sure this is an oversight and will be corrected soon, but the SoftBiz web site says that they have over 3000 applications and installations. This is from their web site faq:

“We have an experience of powering 3000+ web sites with our scripts. We have been improving our scripts over the years now. So, you can trust our technical skills. If you ever face any bug in the script, we will correct it for you free of cost. You do not have to wait for any patch to be released. Just notify us the problem and we will correct it as our highest priority. This can be offered only by an organization with full confidence on its script. We fully back our scripts and clients.”

As always, safe surfing,

Darrell Mishler

mndcreativeconcepts store

demphoto site and amazon store

Gourmet Wild Rice

CVE-2007-5999 (Softbiz Auctions Script)
Publish Date: 11/15/2007 CVSS Severity: 7.5 (High)
SQL injection vulnerability in product_desc.php in Softbiz Auctions Script allows remote attackers to execute arbitrary SQL commands via the id parameter.

CVE-2007-5998 (Ad Management plus Script)
Publish Date: 11/15/2007 CVSS Severity: 6.5 (Medium)
SQL injection vulnerability in ads.php in Softbiz Ad Management plus Script 1 allows remote authenticated users to execute arbitrary SQL commands via the package parameter.

CVE-2007-5997 (Banner Exchange Network Script)
Publish Date: 11/15/2007 CVSS Severity: 6.5 (Medium)
SQL injection vulnerability in campaign_stats.php in Softbiz Banner Exchange Network Script 1.0 allows remote authenticated users to execute arbitrary SQL commands via the id parameter.

CVE-2007-5996 (Link Directory Script)
Publish Date: 11/15/2007 CVSS Severity: 7.5 (High)
SQL injection vulnerability in searchresult.php in Softbiz Link Directory Script allows remote attackers to execute arbitrary SQL commands via the sbcat_id parameter, a related issue to CVE-2007-5449.