VP-ASP Input Validation Flaws in 'shopsearch' and 'shopdisplayproducts' Let Remote Users Execute Arbitrary Commands
Categorie: Vulnerability Posted: 2003-12-04 by ReCall Views: 425 Source: Click here
Current Rating: Not rated
Details
Description: Several input validation vulnerabilities were reported in the VP-ASP shopping cart software. A remote user can execute arbitrary commands on the target system.
S-Quadra reported that there are SQL injection flaws in 'shopsearch.asp' and 'shopdisplayproducts.asp'.
It is reported that the 'shopsearch.asp' script does not validate or filter user-supplied input before using the input as part of an SQL query. A remote user can submit a specially crafted query to execute commands with administrative privileges, such as adding a new user account. A remote user may also be able to execute arbitrary commands.
It is also reported that a remote user can inject SQL commands via the 'shopdisplayproducts.asp' script. A remote user can read arbitrary information from the database.
The vendor was reportedly notified on November 28, 2003.
Impact: A remote user can execute arbitrary commands on the target system with the privileges of the target web server.
Solution: The vendor has released a fix, available at:
