Ecomm Professional Guestbook verify.asp AdminPWD Parameter SQL Injection
Remote / Network Access
Loss of Confidentiality,
Loss of Integrity
Professional Guestbook contains a flaw that allows a remote SQL injection attack. This flaw exists because the application does not validate AdminPWD variables upon submission to the verify.asp script. This could allow a user to create a specially crafted request that would execute arbitrary code, leading to a loss of integrity.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.
c0d3r "Kaveh Razavi" email@example.com is credited with the discovery of this vulnerability.
Ecommerce-Carts.com EcommPro 3.0
EcommProV3 is prone to an SQL injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before using it in an SQL query.
Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation.
No exploit is required.
The following proof of concept URIs are available: http://www.example.com/scart/admin/login.asp?AdminID=admin&AdminPWD='[SQL Injection] http://www.example.com/scart/admin/login.asp?AdminID=admin&AdminPWD=''='[SQL Injection]
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: firstname.lastname@example.org <mailto:email@example.com>.