a.shopKart process.asp Multiple Variable SQL Injection

2003-01-08T00:00:00
ID OSVDB:37038
Type osvdb
Reporter Ignacio Vazquez(infosecmanager@centaura.com.ar)
Modified 2003-01-08T00:00:00

Description

Vulnerability Description

a.shopKart contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the process.asp script not properly sanitizing user-supplied input to the 'zip', 'state', 'country', 'phone' and 'fax' variables. This may allow an attacker to inject or manipulate SQL queries in the backend database.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

a.shopKart contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the process.asp script not properly sanitizing user-supplied input to the 'zip', 'state', 'country', 'phone' and 'fax' variables. This may allow an attacker to inject or manipulate SQL queries in the backend database.

References:

Related OSVDB ID: 37036 Related OSVDB ID: 37037 Other Advisory URL: http://www.centaura.com.ar/infosec/adv/ashopkart.txt ISS X-Force ID: 11029 CVE-2003-1268 Bugtraq ID: 6558