Mall23 infopage.asp script enables SQL injection
| mall23-infopage-sql-injection (22230) |  Medium Risk |
Description:
Mall23 is vulnerable to SQL injection. A remote attacker could send a specially-crafted SQL statement to the infopage.asp script using the idPage parameter, which would enable the attacker to obtain sensitive information, and add, modify or delete data in the backend database.
Platforms Affected:
- Mall23, Mall23
- Microsoft, Windows 2000 Server
- Microsoft, Windows 2003 Server
Remedy:
Upgrade to the latest version of Mall23 (4.11 or later), available from the Mall23 Web site. See References.
Consequences:
Data Manipulation
References:
- Mall23 Web site, Mall23.com - ASP eCommerce online store at http://www.mall23.com/.
- SystemSecure Security Advisory- Mall23 SQL Injection, SystemSecute dot org :: View Topic Mall23 SQL Injection at http://systemsecure.org/ssforum/viewtopic.php?t=219.
- BID-14803: Mall23 Infopage.ASP SQL Injection Vulnerability
- CVE-2005-3039: SQL injection vulnerability in infopage.asp in Mall23 eCommerce allows remote attackers to execute arbitrary SQL commands via the idPage parameter.
- SECTRACK ID: 1014882: Mall23 Input Validation Flaw in `infopage.asp` Permits SQL Injection
Reported:
Sep 10, 2005
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net