Multiple vulnerabilities in SpiderSales

vendor:

SpiderSales

by:

SecurityFocus

8.8

CVSS

HIGH

Improper implementation of the RSA cryptosystem and SQL injection vulnerability

89, 564

CWE

Product Name: SpiderSales

Affected Version From: 2

Affected Version To: 2

Patch Exists: YES

Related CWE: N/A

CPE: SpiderSales

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2002

Multiple vulnerabilities in SpiderSales

The application is prone to an SQL injection vulnerability that may allow an attacker to gain administrative level access to the underlying database. The issues exist due to improper implementation of the RSA cryptosystem by SpiderSales and failure to sanitize user-supplied input via the 'userId' URI parameter employed by various scripts.

Mitigation:

Input validation should be performed to ensure that user-supplied input is properly sanitized.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/9799/info

Multiple vulnerabilities have been identified in the application that may allow an attacker to obtain the private cryptographic key and gain access to sensitive information. The application is also reported prone to an SQL injection vulnerability that may allow an attacker to gain administrative level access to the underlying database.

The issues exist due to improper implementation of the RSA cryptosystem by SpiderSales and failure to sanitize user-supplied input via the 'userId' URI parameter employed by various scripts.

SpiderSales version 2.0 is assumed to be vulnerable to these issues, however, other versions could be affected as well.

http://www.example.com/Carts/Computers/viewCart.asp?userID=2893225125722634';exec%20master..xp_cmdshell%20'dir%20c:%20>%20c:\inetpub\wwwroot\dirc.txt'--&viewID=48