Ecommerce Corporation Online Store Kit More.PHP Multiple Vulnerabilities
BID:9676
Info
Ecommerce Corporation Online Store Kit More.PHP Multiple Vulnerabilities
| Bugtraq ID: | 9676 |
| Class: | Input Validation Error |
| CVE: |
CVE-2004-0300 CVE-2004-0301 |
| Remote: | Yes |
| Local: | No |
| Published: | Feb 17 2004 12:00AM |
| Updated: | Jul 12 2009 03:06AM |
| Credit: | The disclosure of this issue has been credited to David Sopas Ferreira <[email protected]>. |
| Vulnerable: |
Ecommerce Corporation Online Store Kit 3.0 Standard Ecommerce Corporation Online Store Kit 3.0 Pro Ecommerce Corporation Online Store Kit 3.0 Lite |
| Not Vulnerable: | |
Discussion
Ecommerce Corporation Online Store Kit More.PHP Multiple Vulnerabilities
Multiple vulnerabilities have been identified in the software due to improper sanitization of user-supplied input. Successful exploitation of these issues could allow an attacker to carry out cross-site scripting and SQL injection attacks via the 'id' parameter of 'more.php' script.
Online Store Kit version 3.0 has been reported to be prone to these issues.
Multiple vulnerabilities have been identified in the software due to improper sanitization of user-supplied input. Successful exploitation of these issues could allow an attacker to carry out cross-site scripting and SQL injection attacks via the 'id' parameter of 'more.php' script.
Online Store Kit version 3.0 has been reported to be prone to these issues.
Exploit / POC
Ecommerce Corporation Online Store Kit More.PHP Multiple Vulnerabilities
No exploit is required.
The following proof of concept examples have been provided:
more.php?id='[SQL injection here]&
more.php?id=%3Cscript%3Ealert(document.domain);%3C/script%3E&
No exploit is required.
The following proof of concept examples have been provided:
more.php?id='[SQL injection here]&
more.php?id=%3Cscript%3Ealert(document.domain);%3C/script%3E&
Solution / Fix
Ecommerce Corporation Online Store Kit More.PHP Multiple Vulnerabilities
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
References
Ecommerce Corporation Online Store Kit More.PHP Multiple Vulnerabilities
References:
References:
- Online Store Kit Product Page (Ecommerce Corporation)
- Online Store Kit v3.0 Advisory (SystemSecure.org)