CactuShop payonline.asp strItems Parameter SQL Injection

2004-03-31T00:00:00
ID OSVDB:4785
Type osvdb
Reporter Nick Gudov(cipher@s-quadra.com)
Modified 2004-03-31T00:00:00

Description

Vulnerability Description

CactuShop contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that the 'strItems' parameter in the 'payonline.asp' script is not verified properly and will allow a remote attacker to inject or manipulate SQL queries.

Solution Description

Upgrade to version 5.113 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

CactuShop contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that the 'strItems' parameter in the 'payonline.asp' script is not verified properly and will allow a remote attacker to inject or manipulate SQL queries.

References:

Vendor URL: http://www.cactushop.com/ Security Tracker: 1009601 Secunia Advisory ID:11272 Related OSVDB ID: 4786 Related OSVDB ID: 4787 Other Advisory URL: http://www.s-quadra.com/advisories/Adv-20040331.txt