Korean

<< Back VID 22003 Severity 40 Port 80, ... Protocol TCP Class WWW Detailed Description The macro orderdspc.d2w in the IBM Net.Commerce is vulnerable to a SQL injection attack. IBM Net.Commerce is a comprehensive suite of hardward and software for creating and hosting ecommerce Web sites. IBM's Net.Commerce ecommerce platform supports macros which, by default, do not properly validate requests in user-supplied input. A thoughtfully-formed request to a vulnerable script can cause the server to disclose sensitive system information, such as administrative accounts and user password files, including results of arbitrary queries to the Net.Commerce database. This can allow an attacker to obtain an elevation of privileges to that of the DB2INST1 account, and potentially issue arbitrary shell commands as the DB2INST1 user. * References: http://online.securityfocus.com/bid/2350 http://www.iss.net/security_center/static/6067.php * Platforms Affected: IBM Net.Commerce 2.0 / 3.0 IBM Net.Commerce Hosting Server 3.1.1 / 3.1.2 / 3.2 IBM Net.Commerce Pro 3.1 / 3.1.1 / 3.1.2 / 3.2 IBM Net.Commerce Start 3.1 / 3.1.1 / 3.1.2 / 3.2 IBM WebSphere Commerce Suite MarketPlace 4.1 IBM WebSphere Commerce Suite Pro 4.1 / 4.1.1 IBM WebSphere Commerce Suite Service Provider 3.1.2 / 3.2 IBM WebSphere Commerce Suite Start 4.1 / 4.1.1 Recommendation Upgrade to the latest version of IBM Net.Commerce (3.2 or later), which fixes the Administrator macros, while also removing the sample macros. The upgraded versions are available from: http://www-4.ibm.com/software/webservers/commerce/netcomletter.html To remove sample macros: * Locate the db2www.ini in the HTML document root for each instance. * Review each ini file's MACRO_PATH to ensure that all macros are required by production and are not samples. * Remove the directories that are not required for production. For more details please read: http://www-4.ibm.com/software/webservers/commerce/servers/2001-1.htm Related URL CVE-2001-0319 (CVE) Related URL (SecurityFocus) Related URL (ISS)