SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Commerce)  >   India Software Solution Shopping Cart Vendors:   indiasoftwaresolution.com
India Software Solution Shopping Cart Input Validation Hole in 'signin.asp' Permits SQL Injection
SecurityTracker Alert ID:  1014074
SecurityTracker URL:  http://securitytracker.com/id/1014074
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 29 2005
Impact:   Disclosure of system information, Disclosure of user information, User access via network
Exploit Included:  Yes  

Description:   amin emami <Rayden> from ir-hackers team reported a vulnerability in India Software Solution Shopping Cart. A remote user can inject SQL commands.

The 'shopcart/signin.asp' script does not properly validate user-supplied input in the 'password' parameter. A remote user can supply a specially crafted parameter value to execute SQL commands on the underlying database. This can be exploited, for example, to gain administrative access on the application.

A demonstration exploit value is provided:

Uername =admin
Password=" or 0=0 #

The original advisory is available at:

http://ir-hackers.com/indsc.txt

Impact:   A remote user can execute SQL commands on the underlying database. This allows a remote user to gain administrative access on the application.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.indiasoftwaresolution.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  india Software Solution shopping cart Signin.asp sql injection



------------------------------------------------------------------------------------------------------------------------
Title:india Software Solution shopping cart Signin.asp sql injectio
Software Package:india Software Solution shopping cart
Vendor Homepage: http://www.indiasoftwaresolution.com/shopping_cart.html
http://www.aryaninfotech.com/shopcart/SignIn.asp
Platforms:Windows Base Server
Vulnerability :Sqlinjection
Risk:High!

hi i'm amin emami<Rayden> from ir-hackers team.i found sql injection 
bug in india Software Solution shopping cart
 
 
Summary:
..........................
india Software Solution shopping cart is Asp shopping cart portal manage ment systems
By using that you can view Customer Tracking, add new product, upload images, 
change customers users and any other information in admin panel
 
 
Exploit:
..........................
Uername =admin
Password=" or 0=0 # 
admin login file:http://Site/shopcart/SignIn.asp 
you can using this to will be taken to admin control panel
Example site:http://www.aryaninfotech.com/shopcart/SignIn.asp
The original advisory is comming soon  here:http://ir-hackers.com/indsc.txt
 
End:
..........................
Finder name: amin emami
Team: ir-hackers team
Email: AminRayden@yahoo.com
Greeting:Special thanks to original and outlawBoy and all ir-hackers members
Web site: http://www.ir-hackers.com
 
 
 
 
 

 

		
---------------------------------
Do You Yahoo!?
 Yahoo! Small Business - Try our new Resources site!
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC