Dragonfly Commerce dc_Productsview.asp SQL Injection

2005-07-12T04:49:43
ID OSVDB:18444
Type osvdb
Reporter Diabolic Crab(dcrab@hackerscenter.com)
Modified 2005-07-12T04:49:43

Description

Vulnerability Description

Dragonfly Commerce contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the dc_Productsview.asp script not properly sanitizing user-supplied input. This may allow an attacker to inject or manipulate SQL queries in the backend database.

Technical Description

The vendor has disputed this issue saying that the error messages are a result of invalid input.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

Dragonfly Commerce contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the dc_Productsview.asp script not properly sanitizing user-supplied input. This may allow an attacker to inject or manipulate SQL queries in the backend database.

References:

Vendor Specific Advisory URL Security Tracker: 1014451 Secunia Advisory ID:16007 Related OSVDB ID: 18442 Related OSVDB ID: 18445 Related OSVDB ID: 18449 Related OSVDB ID: 18441 Related OSVDB ID: 18443 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-07/0196.html CVE-2005-2221