Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

FreznoShopSQL.txt

🗓️ 11 Aug 2005 00:00:00Reported by Mike ShemaType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 19 Views

FreznoShop SQL injection vulnerability in versions below 1.4.1, allows arbitrary queries and reveals usernames and passwords

Code
`FreznoShop Vulnerability Details  
  
Date: May 13, 2005  
Mike Shema <[email protected]>  
  
Versions of FreznoShop   
(<http://www.freznoshop.de/>http://www.freznoshop.de/) below 1.4.1   
are vulnerable to SQL injection due to the use of unvalidated   
parameters in database queries. Some unpatched versions of 1.4.1 are   
vulnerable as well.  
  
The value of the 'id' parameter is passed directly to the SQL query   
function. No validation of content or filtering of malicious   
characters is performed. Database error messages are suppressed such   
that they will not reach the web browser, but this does not prevent   
arbitrary queries from being constructed. The following URL   
demonstrates a value for 'id' that displays a user's username and   
password in the HTML response:  
  
<http://site/freznoshop/product_details.php?id=1+UNION+SELECT+1,u_password,u_name,1,1,1,1,1,1,1,1,1+FROM+fs_users+LIMIT+1,1>http://site/freznoshop/product_details.php?id=1+UNION+SELECT+1,u_password,u_name,1,1,1,1,1,1,1,1,1+FROM+fs_users+LIMIT+1,1  
  
The specific problem lies in the product_details.php and   
libclasses/lib.shop.php files.  
  
product_details.php, c. line 63  
-------------------------------  
...  
$prod = loadProduct($HTTP_GET_VARS['id']);  
...  
-------------------------------  
  
libclasses/lib.shop.php, c. line 83  
-----------------------------------  
...  
function loadProduct($id)  
{  
$table1 = DB_PREFIX .'products p';  
$table2 = DB_PREFIX .'products_categories pc';  
  
$sql = db_query("SELECT p.p_id,  
p.p_item_nr,  
p.p_name,  
p.p_desc,  
p.p_desc_long,  
p.p_image,  
p.p_price,  
p.p_show_img,  
p.p_sp_price,  
p.p_has_special,  
p.p_has_style,  
pc.category_id  
FROM $table1, $table2  
WHERE p.p_id = pc.product_id  
AND p.p_id = $id  
");  
...  
-----------------------------------  
  
Users of this application should download the latest version of   
FreznoShop, which implements an is_numeric() check of the $id   
parameter in the product_details.php file to prevent this particular   
attack.  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
11 Aug 2005 00:00Current
7.4High risk
Vulners AI Score7.4
freznoshopsql injectionvulnerabilityarbitrary queriesusernamespasswordsvalidationdownload latest version
19