AFCommerce Shopping Cart Search Field SQL Injection

2006-07-19T02:25:14
ID OSVDB:28618
Type osvdb
Reporter Sledge(sledge@paradise.net.nz)
Modified 2006-07-19T02:25:14

Description

Vulnerability Description

AFCommerce Shopping Cart has been reported to contain a flaw that may allow an attacker to carry out an SQL injection attack. The issue is supposedly due to the search functionality not properly sanitizing user-supplied input. However, the vendor has disputed this after additional testing stating that input is sanitized and there is no indication of injection ability.

Solution Description

The vulnerability reported is incorrect. No solution required.

Short Description

AFCommerce Shopping Cart has been reported to contain a flaw that may allow an attacker to carry out an SQL injection attack. The issue is supposedly due to the search functionality not properly sanitizing user-supplied input. However, the vendor has disputed this after additional testing stating that input is sanitized and there is no indication of injection ability.

References:

Security Tracker: 1016538 Related OSVDB ID: 28619 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-07/0397.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-07/0340.html ISS X-Force ID: 27846 CVE-2006-3794 Bugtraq ID: 19074