| VID |
21418 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The CubeCart has a 'index.php' SQL Injection Vulnerability.
CubeCart is an ecommerce script that is written in PHP and MySQL. CubeCart 2.01 is vulnerable to a SQL Injection attack, caused by a failure of the application to properly sanitize user-supplied URI data prior to including it in an SQL query. By sending a specially-crafted request to the 'index.php' script containing embedded SQL commands in the 'cat_id' parameter, a remote attacker could obtain sensitive information and add, modify or delete data in the backend database.
* References:
http://securitytracker.com/alerts/2004/Oct/1011560.html
* Platforms Affected:
Brooky, CubeCart 2.01
Any operating system Any version |
| Recommendation |
No upgrade or patch available as of June 2014.
Upgrade to the new version of CubeCart , when new version fixed this problem becomes available from the CubeCart Web Site at http://www.cubecart.com/site/home/ |
| Related URL |
CVE-2004-1580 (CVE) |
| Related URL |
11337 (SecurityFocus) |
| Related URL |
17632 (ISS) |
|
