Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:5790
HistoryFeb 18, 2004 - 12:00 a.m.

ZH2004-07SA (security advisory): Multiple Sql injection vulnerabilities in Online Store Kit 3.0 Products (Lite - Standard and Pro)

2004-02-1800:00:00
vulners.com
8
JSON

ZH2004-07SA (security advisory): Multiple Sql injection vulnerabilities in Online Store Kit
3.0 Products (Lite - Standard and Pro)

Published: 17 february 2004

Released: 17 february 2004

Name: Online Store Kit Products (Lite - Standard - Pro)

Affected Systems: 3.0

Issue: Sql Injection Vulnerability

Author: G00db0y from Zone-h Security Labs - [email protected] - [email protected]

Vendor: http://www.ecommerce.com

Description

Zone-h Security Team has discovered multiple flaws in Online Store Kit 3.0 Products (Lite -
Standard - Pro). There are multiple vulnerabilities in the current version of Online Store Kit
Lite that allows an attacker to disclose sensitive information that could be used to gain
unauthorized access.
Online Store Kit 3.0 Lite:"That pretty much says it all when it comes to the Online Store Kit
3.0 Lite. To sum it up, this package includes all of the features that are essential for a
usable shopping cart with uninterrupted functioning. If your e-commerce needs don't go far,
but the products/services you offer have the demand, this package is for you.
Please, note, that all the packages include core features and have room for additional
features. The core features are included in every package, and provide a solid base for
building a successful e-store. The functionality and the quantity of additional features
depend on the package you choose."
Online Store Kit 3.0 Standard: "Going with the standard is always a good thing; especially
when it comes to making a profit. When your store goes online, you should attract visitors not
only with the assortment of the products and services you offer, but also with a dynamic and
friendly sales atmosphere. If organized with Online Store Kit 3.0 Standard, your e-store will
include all the basic features plus advanced functionality, enabling a powerful and
profit-generating virtual shop."
Online Store Kit 3.0 Pro: "Intense research, development and testing has brought us to what
we call the Online Store Kit 3.0 Pro. The features which enable a comprehensive procedure for
purchasing, taxation calculation, shipping and handling, and payment methods are the hallmarks
of this professional package. Please, note, that all the packages include core features and
additional ones."

Details

The problems exist due to insufficient sanitization of user-supplied data. A remote attacker
may exploit these issues to influence SQL query logic to disclose sensitive information that
could be used to gain unauthorized access.

For example try this:

http://address/directory/shop.php?cat=[query]
http://address/directory/more.php?id=[query]
http://address/directory/lite/shop_by_brand.php?cat_manufacturer=[query]
http://address/directory/listing.php?id=[query]

Solution:

The vendor has been contacted and a patch was not yet produced.

G00db0y from Zone-h Security Labs - [email protected] - [email protected]

http://www.zone-h.org/en/advisories/read/id=3972/

JSON