lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <A81621A55EA542ACB2348FA059607749@unknown>
Date: Wed, 14 Apr 2010 19:08:53 +0200
From: "VUPEN Web Research" <advisories@...en.com>
To: <bugtraq@...urityfocus.com>
Subject: VUPEN Web Security Research - WebAsyst Shop-Script Multiple Input Validation Vulnerabilities

VUPEN Web Security Research - WebAsyst Shop-Script Multiple Input Validation 
Vulnerabilities

http://www.vupen.com/english/research-web.php


I. BACKGROUND
---------------------

"WebAsyst Shop-Script FREE - simple and free PHP shopping cart script.
It provides basic shopping cart functionality and allows to create
a nice looking simple shopping cart add-on for your website.
Or to learn how shopping cart systems are designed."


II. DESCRIPTION
---------------------

VUPEN Web Vulnerability Research Team discovered 27 vulnerabilities
in WebAsyst Shop-Script FREE.

These issues are caused by input validation errors in various scripts
when processing user-supplied data and parameters, which could allow
local file inclusion, sql injection and cross site scripting attacks.


III. AFFECTED PRODUCTS
-------------------------------

WebAsyst Shop-Script FREE


IV. SOLUTION
-------------------

The vendor does not support the script any longer.

Remove WebAsyst Shop-Script FREE from your web site.


V. CREDIT
--------------

The vulnerability was discovered by Mohammed Boumediane of VUPEN Security


VI. ABOUT VUPEN Security
--------------------------------

VUPEN is a leading IT security research company providing vulnerability
management and security intelligence solutions which enable enterprises
and institutions to eliminate vulnerabilities before they can be exploited,
ensure security policy compliance and meaningfully measure and manage risks.

Governmental and federal agencies, and global enterprises in the financial
services, insurance, manufacturing and technology industries rely on VUPEN
to improve their security, prioritize resources, cut time and costs, and
stay ahead of the latest threats.

* VUPEN Vulnerability Notification Service:

http://www.vupen.com/english/services/

* VUPEN Binary Analysis & Exploits Service :

http://www.vupen.com/exploits/


VII. REFERENCES
----------------------

http://www.vupen.com/english/advisories/2010/0882


VIII. DISCLOSURE TIMELINE
----------------------------------- 

2010-04-13 - Vendor notified
2010-04-14 - Vendor response (script not supported any longer)
2010-04-14 - Public Disclosure



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ