VP-ASP Shopping Cart shopreviewadd.asp catalogid Variable SQL Injection

2004-03-24T04:31:46
ID OSVDB:18001
Type osvdb
Reporter OSVDB
Modified 2004-03-24T04:31:46

Description

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, VP-ASP has released a patch to address this vulnerability:

Edit file shopreviewlist.asp and shopreviewadd.asp;

Find: If catalogid="" then shoperror LangNoCatalogId end if

Add: If not isnumeric(catalogid) then shoperror LangNoCatalogId end if

References:

Vendor Specific Advisory URL Secunia Advisory ID:11201 Related OSVDB ID: 4516 ISS X-Force ID: 15588 CVE-2004-2412 Bugtraq ID: 9967