by r0t,der4444,cembo,VietMafia

Tuesday, November 22, 2005

EPay Pro "pmodule" SQL Injection Vulnerability

AlstraSoft EPay Pro "pmodule" SQL Injection Vulnerability


Vuln. dicovered by : r0t
Date: 22 nov. 2005
Vendor:http://www.alstrasoft.com/
Product link: http://www.alstrasoft.com/epay.htm
affected version:v2.0

Product Overview:

How would you like to own your very own payment processing website and business built with security minded programming? EPay Pro is the ultimate software solution for those who wish to run their own Paypal, Stormpay, or e-gold type of online business. Epay Pro comes with a ready out of the box website with all the features you need to run your own payment gateway system.
It doesn't take a genius to figure out this type of website is a sound business investment. If advertised right this type of website can make you $1,000 - $10,000 a week! $4,000 - $40,000 a month! $52,000 - $520,000 a year!
A peer to peer payment system like this one will build a good customer base quickly using simple viral marketing techniques allowing its users to pay for auctions, services and goods. You can charge from 2.5% - 7% per transaction! You get 100% of those profits as you will completely own the website.
EPay Pro is completely secure and is based on the power of PHP and MySQL with encryption techniques installed on the authorization modules of the site for complete security of the funds of the users. The extensive admin panel offers an absolute control over the whole website and provides the administrators with complete stats of the activity of the site.
Run your own Paypal type of online payment gateway system with AlstraSoft EPay Pro today!

Vuln Description:

Input passed to the "pmodule" parameter in "index.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Solution:
Edit the source code to ensure that input is properly sanitised.

3 Comments:

Anonymous Anonymous told...

hehe, nice job, payment service provider, and an sql injection just dont fit together ;)

1:54 PM

 
Blogger Kim told...

My, My. Wonderful post. I like it.

I have a article submission product site. It is an informative article submission source.

3:12 PM

 
Blogger Marian told...

This comment has been removed because it linked to malicious content. Learn more.

8:18 PM

 

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew