Bugtraq mailing list archives
Ecommerce-Carts SQL injection vulnerability ( IHSTeam )
From: c0d3r () ihsteam com
Date: Wed, 20 Apr 2005 01:42:19 +0430 (IRDT)
******************************************** IHS Iran Hackers Sabotage Public advisory by : c0d3r "Kaveh Razavi" c0d3r () ihsteam com ******************************************** ---------------------------------------------------------- advisory url : http://www.ihssecurity.com/cms/modules/mydownloads/visit.php?lid=8 application : Ecommerce-Carts EcommProV.3 and prior vender : Ecommerce-Carts.com risk : critical Ecommerce-Carts is a web application that is used to manage small businesses . it has got many useful features like credit card process and etc . Ecommerce-Carts contain a very dangrous sql injection which allow attacker to gain access to control panel page and view critical information like credit card information and so on . the vulnerability is quite simple to use : http://site.com/scart/admin/login.asp user : admin ( everything ) pass : ' or ''=' ---------------------------------------------------------- Disclosure timeline : 14 April 2005 : vender contacted via a private mail 16 April 2005 : vender contacted again ( no response ) 19 April 2005 : still no response , public disclosure ---------------------------------------------------------- greeting to IHSteam.com members and exploitdev mates and all Iranian Security Teams c0d3r of IHS Security researcher Www.ihssecurity.com (english) www.ihsteam.com (persian)
Current thread:
- Ecommerce-Carts SQL injection vulnerability ( IHSTeam ) c0d3r (Apr 20)