VP-ASP shoprestoreorder.asp denial of service

vpasp-shoprestoreopenasp-dos (17436) The risk level is classified as LowLow Risk

Description:

VP-ASP is a shopping cart program available for Web sites running on Microsoft Windows or various Unix-based operating systems. VP-ASP version 5.0 is vulnerable to a denial of service attack. A remote attacker could use the shoprestoreorder.asp script to restore a previous order and cause the database connection to remain open, which could result in performance related problems.

Platforms Affected:

  • Rocksalt International, VP-ASP 5.00

Remedy:

No remedy available as of September 2004.

As a workaround, apply the fix for this vulnerability dated September 18, 2004, available from the VP-ASP Security Fix Web page. See References.

Consequences:

Denial of Service

References:

  • VP-ASP Security Fix Web page, Fix Summary at http://www.vpasp.com/virtprog/info/faq_securityfixes.htm.
  • VP-ASP Web site, VP-ASP Shopping Cart Solution at http://www.vpasp.com.
  • BID-11228: Virtual Programming VP-ASP Denial Of Service Vulnerability
  • CVE-2004-2164: shoprestoreorder.asp in VP-ASP 5.0 does not close the database connection when a user restores a previous order, which allows remote attackers to cause a denial of service (connection consumption).
  • OSVDB ID: 10071: VP-ASP Shopping Cart shoprestoreorder.asp Connection Persistance DoS
  • SA12611: VP-ASP Shopping Cart Database Connection Denial of Service
  • SECTRACK ID: 1011359: VP-ASP `shoprestoreorder.asp` May Let Remote Users Keep Database Connections Open

Reported:

Sep 19, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page