Info

Disclosure

Mar 31, 2004

Discovery

Mar 16, 2004

Dates

Exploit

Mar 31, 2004

Solution

Unknown

Description

CactuShop contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that the 'strItems' parameter in the 'mailorder.asp' script is not verified properly and will allow a remote attacker to inject or manipulate SQL queries.

Classification

Location: Remote/Network Access Required
Attack Type: Information Disclosure, Input Manipulation
Impact: Loss of Confidentiality, Loss of Integrity
Exploit: Exploit Available
Disclosure: OSVDB Verified
OSVDB: Web Related

Solution

Upgrade to version 5.113 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Cactusoft Ltd.	CactuShop	5.1
		5.0x

References

Bugtraq ID: 10019
Security Tracker: 1009601
Secunia Advisory ID: 11272
ISS X-Force ID: 15686
CVE ID: 2004-1881 (see also: NVD)
Related OSVDB ID: 4785 4786 4787
Mail List Post: http://marc.theaimsgroup.com/?l=bugtraq&m=108075059013762&w=2
Vendor URL: http://www.cactushop.com/
Other Advisory URL: http://www.s-quadra.com/advisories/Adv-20040331.txt

Credit

Nick Gudov - ciphers-quadra.com - S-Quadra

Direct URL: http://osvdb.org/36218

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Cactusoft Ltd.

CactuShop

References

Credit