BID:9854

Dogpatch Software CFWebstore SQL Injection Vulnerability

Info

Dogpatch Software CFWebstore SQL Injection Vulnerability

Bugtraq ID:	9854
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Mar 12 2004 12:00AM
Updated:	Mar 12 2004 12:00AM
Credit:	The disclosure of this issue has been credited to Nick Gudov.
Vulnerable:	Dogpatch Software CFWebstore 5.0

Not Vulnerable:	Dogpatch Software CFWebstore 5.0.1

Discussion

Dogpatch Software CFWebstore SQL Injection Vulnerability

It has been reported that CFWebstore is prone to a remote SQL injection vulnerability. This issue is due to a failure of the application to properly sanitize user input before including it in an SQL statement.

As a result of this a malicious user may influence database queries in order to view or modify sensitive information, potentially compromising the software or the database. It has been reported that an attacker may be able to disclose the administrator password hash by exploiting this issue.

Exploit / POC

Dogpatch Software CFWebstore SQL Injection Vulnerability

No exploit is required to leverage this issue.

Solution / Fix

Dogpatch Software CFWebstore SQL Injection Vulnerability

Solution:
The vendor has supplied an upgrade dealing with this issue. Please see the reference section to contact the vendor for details on obtaining the upgrade.

References

Dogpatch Software CFWebstore SQL Injection Vulnerability

References:

CFWebstore (Dogpatch Software)
Dogpatch Software CFWebstore 5.0 shopping cart software multiple security... (S-Quadra Security Research )