ISS X-Force Database: cyberstrongeshop-multiple-sql-injection(12485): CyberStrong eShop 10expand.asp, 10browse.asp, or 20review.asp scripts SQL injection

CyberStrong eShop 10expand.asp, 10browse.asp, or 20review.asp scripts SQL injection

cyberstrongeshop-multiple-sql-injection (12485)

Medium Risk

Description:

CyberStrong eShop is vulnerable to SQL injection, caused improper filtering of user-supplied input by multiple scripts. A remote attacker could exploit this vulnerability by passing malicious SQL commands to the 10expand.asp, 10browse.asp, or 20review.asp scripts, which would allow the attacker to obtain sensitive information, and possibly add, modify, or delete data in the backend database.

Consequences:

Gain Access

Remedy:

No remedy available as of July 9, 2011.

References:

BugTraq Mailing List, Mon Jun 30 2003 - 23:03:35 CDT : Cyberstrong eShop SQL Injection Vulnerability.
CyberStrong eShop Web site: CyberStrong ASP Shopping Cart Software for MS Access and SQL Servers.
BID-14101: CyberStrong EShop 20review.ASP SQL Injection Vulnerability
BID-14103: CyberStrong eShop 10expand.ASP SQL Injection Vulnerability
BID-14112: CyberStrong EShop 10browse.ASP SQL Injection Vulnerability
CVE-2003-0509: SQL injection vulnerability in Cyberstrong eShop 4.2 and earlier allows remote attackers to steal authentication information and gain privileges via the ProductCode parameter in (1) 10expand.asp, (2) 10browse.asp, and (3) 20review.asp.
OSVDB ID: 10098: CyberStrong eShop 10expand.asp ProductCode Parameter SQL Injection
OSVDB ID: 10099: CyberStrong eShop 10browse.asp ProductCode Parameter SQL Injection
OSVDB ID: 10100: CyberStrong eShop 20review.asp ProductCode Parameter SQL Injection
SA9165: CyberStrong eShop SQL Injection Vulnerability
SECTRACK ID: 1007092: CyberStrong eShop Lets Remote Users Inject SQL Commands

Platforms Affected:

CyberStrong Internet Services CyberStrong eShop 4.2

Reported:

Jun 30, 2003

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page