| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 20 Apr 2005 01:42:19 +0430 (IRDT) From: c0d3r@...team.com To: bugtraq@...urityfocus.com Subject: Ecommerce-Carts SQL injection vulnerability ( IHSTeam ) ******************************************** IHS Iran Hackers Sabotage Public advisory by : c0d3r "Kaveh Razavi" c0d3r@...team.com ******************************************** ---------------------------------------------------------- advisory url : http://www.ihssecurity.com/cms/modules/mydownloads/visit.php?lid=8 application : Ecommerce-Carts EcommProV.3 and prior vender : Ecommerce-Carts.com risk : critical Ecommerce-Carts is a web application that is used to manage small businesses . it has got many useful features like credit card process and etc . Ecommerce-Carts contain a very dangrous sql injection which allow attacker to gain access to control panel page and view critical information like credit card information and so on . the vulnerability is quite simple to use : http://site.com/scart/admin/login.asp user : admin ( everything ) pass : ' or ''=' ---------------------------------------------------------- Disclosure timeline : 14 April 2005 : vender contacted via a private mail 16 April 2005 : vender contacted again ( no response ) 19 April 2005 : still no response , public disclosure ---------------------------------------------------------- greeting to IHSteam.com members and exploitdev mates and all Iranian Security Teams c0d3r of IHS Security researcher Www.ihssecurity.com (english) www.ihsteam.com (persian)
Powered by blists - more mailing lists