by r0t,der4444,cembo,VietMafia

Monday, November 28, 2005

Softbiz B2B trading Marketplace Script SQL inj.

Softbiz B2B trading Marketplace Script SQL inj.
Vuln. dicovered by : r0t
Date: 28 nov. 2005
Vendor:www.softbizscripts.com/b2b-trading-marketplace-script-features.php
affected version:1.1and prior

Product Description:
Our B2B trading Marketplace Script is a wonderful solution to launch your own global trading site like well known alibaba.com. Just perfect to launch your own top quality trading portal. It is a COMPLETE SCRIPT with quality features like Product Catalog, Company profiles, Sell Offers, Buy Offers, Complete internal messaging, Three membership levels : Gold, Silver and Bronze.


Vuln. description:
Input passed to the "cid" parameter in "selloffers.php","buyoffers.php" ,"products.php","profiles.php" isn't properly sanitised before being used in a SQL query.This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.


examples:
/selloffers.php?cid=[SQL]
/buyoffers.php?cid=[SQL]
/products.php?cid=[SQL]
/profiles.php?cid=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.

1 Comments:

Anonymous salman told...

Can you please help me in sanitising the code. I can supply you the affeted files code

9:26 PM

 

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew