ISS X-Force Database: ecommerce-multiple-scripts-sql-injection(23417): eCommerce Enterprise Edition multiple scripts SQL injection

eCommerce Enterprise Edition multiple scripts SQL injection

ecommerce-multiple-scripts-sql-injection (23417)

Medium Risk

Description:

eCommerce Enterprise Edition is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the view.php, viewbrands.php, or index.php scripts using the prod, brid, bid, group, or cat parameters to add, modify or delete information in the back-end database.

Platforms Affected:

Web4Future, eCommerce Enterprise Edition 2.1 and prior

Remedy:

No remedy available as of June 27, 2009.

Consequences:

Data Manipulation

References:

eCommerce Enterprise Edition Web site, Web4Future eCommerce Enterprise Edition v2.1 - Administration Module Features at http://www.web4future.com/products.php?p=ecomm.
UNSECURED SYSTEMS 12/5/2005, eCommerce Enterprise Edition SQL inj. vuln. at http://pridels.blogspot.com/2005/12/ecommerce-enterprise-edition-sql-inj.html.
BID-15707: Web4Future eCommerce Enterprise Edition Multiple SQL Injection Vulnerabilities
CVE-2005-4035: Multiple SQL injection vulnerabilities in Web4Future eCommerce Enterprise Edition 2.1 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) prod, and (2) brid parameters to (a) view.php; the (3) the bid parameter to (b) viewbrands.php; and the (4) grp and (5) cat parameters to index.php.
OSVDB ID: 21466: Web4Future eCommerce view.php Multiple Variable SQL Injection
OSVDB ID: 21467: Web4Future eCommerce index.php Multiple Variable SQL Injection
OSVDB ID: 21468: Web4Future eCommerce viewbrands.php bid Variable SQL Injection
SA17881: Web4Future eCommerce Products SQL Injection Vulnerabilities
VUPEN/ADV-2005-2744: Web4Future eCommerce Multiple Scripts SQL Injection Vulnerabilities

Reported:

Dec 05, 2005

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page