VP-ASP Shopping Cart shopproductselect.asp productid Variable SQL Injection

2005-07-18T04:00:18
ID OSVDB:17999
Type osvdb
Reporter OSVDB
Modified 2005-07-18T04:00:18

Description

Vulnerability Description

VP-ASP Shopping Cart contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'shopproductselect.asp' script not properly sanitizing user-supplied input to the 'productid' variable. This may allow a remote attacker to inject or manipulate SQL queries in the backend database.

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, Rocksalt has released a patch to address this vulnerability.

Short Description

VP-ASP Shopping Cart contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'shopproductselect.asp' script not properly sanitizing user-supplied input to the 'productid' variable. This may allow a remote attacker to inject or manipulate SQL queries in the backend database.

References:

Vendor URL: http://www.vpasp.com/ Vendor Specific Advisory URL Security Tracker: 1014511 Secunia Advisory ID:16104 Related OSVDB ID: 17998 Related OSVDB ID: 18000 ISS X-Force ID: 21411 Bugtraq ID: 14305