# Exploit Title: WeBid <=1.0.5 Cross Site Scripting Vulnerabilities # Date: 11/17/2012 # Exploit Author: Woody Hughes # Vendor Homepage: http://www.webidsupport.com # Software Link: http://sourceforge.net/projects/simpleauction/files/simpleauction/WeBid%20v1.0.4/WeBid-1.0.4.zip/download # Version: 1.0.5 # Tested on: Ubuntu Linux INGRESS SECURITY SECURITY ADVISORY INGRES-11172012-WeBid Cross Site Scripting Vulnerabilities November 17, 2012 OVERVIEW Ingress Security researchers have found a Cross Site Request Forgery and persistent Cross Site Scripting vulnerability in the WeBid auction house software. AFFECTED PRODUCTS WeBid version 1.0.5 and prior. PLATFORM: Multiple LOCAL/REMOTE: Remote CVSS SCORE: 5.8 (AV:N/AC:L/Au:S/C:C/I:P/A:N/E:P/RL:U/RC:ND/CDP:LM/TD:M/CR:ND/IR:ND/AR:ND) DESCRIPTION OF VULNERABILITIES Cross Site Request Forgery (CSRF) WeBid does not properly check user input, thus allowing the