BID:25210

Cartweaver Details.CFM SQL Injection Vulnerability

Info

Cartweaver Details.CFM SQL Injection Vulnerability

Bugtraq ID:	25210
Class:	Input Validation Error
CVE:	CVE-2006-2046
Remote:	Yes
Local:	No
Published:	Aug 06 2007 12:00AM
Updated:	May 07 2015 05:36PM
Credit:	Meoconx is credited with the discovery of this vulnerability.
Vulnerable:	Application Dynamics, Inc. Cartweaver 2.17.11 Application Dynamics, Inc. Cartweaver 2.16.11

Not Vulnerable:	Application Dynamics, Inc. Cartweaver 3

Discussion

Cartweaver Details.CFM SQL Injection Vulnerability

Cartweaver is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in SQL queries.

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.

Exploit / POC

Cartweaver Details.CFM SQL Injection Vulnerability

An attacker can exploit this issue through a browser.

The following proof-of-concept URI is available:

http://www.example.com/Details.cfm?ProdID=[sql query]

Solution / Fix

Cartweaver Details.CFM SQL Injection Vulnerability

Solution:
NOTE: The vendor states that Cartweaver 3 is not affected.

The vendor released a patch to address this issue. Please contact the vendor for information on obtaining and installing the patch or a recent version.

References

Cartweaver Details.CFM SQL Injection Vulnerability

References:

Cartweaver Home Page (Application Dynamics, Inc.)