by r0t,der4444,cembo,VietMafia

Wednesday, November 23, 2005

Affcommerce Multiple Sql inj.

Vuln. dicovered by : r0t
Date 23 nov. 2005
Vendor:http://www.affcommerce.com/
affected version:1.1.4

Product Description:
Affcommerce is a unique, one of its kind affiliate based ecommerce script. It allows you to create a network of affiliates with customizable shopping cart/e-shop interfaces to sell your products. You would have full control over your pricing and fullfillment. Fully e-commerce ready, AffCommerce allows you to sell your products rapidly. It also has many additional modules available, like product rentals, etc.

Vuln. Description:
Input passed to the "cl" in parameter "SubCategory.php" and "item_id" parameter in "ItemInfo.php" and "ItemReview.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution:
Edit the source code to ensure that input is properly sanitised.

0 Comments:

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew