SECUNIA ADVISORY ID: SA22955
VERIFY ADVISORY: http://secunia.com/advisories/22955/
CRITICAL: Moderately critical
IMPACT: Manipulation of data
SOFTWARE: Enthrallweb eShopping Cart - http://secunia.com/product/12651/
DESCRIPTION: Laurent Gaffié and Benjamin Mossé have reported some vulnerabilities in Enthrallweb eShopping Cart, which can be exploited by malicious people to conduct SQL injection attacks. Input passed to the "ProductID" in reviews.asp and productdetail.asp, and to the "cat_id" and "sub_id" parameters in subProducts.asp is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
SOLUTION: Edit the source code to ensure that input is properly sanitised.
PROVIDED AND/OR DISCOVERED BY: Laurent Gaffié and Benjamin Mossé
|
This article comes from Ravens PHP Scripts
https://www.ravenphpscripts.com
The URL for this story is:
https://www.ravenphpscripts.com/modules.php?name=News&file=article&sid=2509
https://www.ravenphpscripts.com
The URL for this story is:
https://www.ravenphpscripts.com/modules.php?name=News&file=article&sid=2509