Guest Posted April 29, 2005 Share Posted April 29, 2005 Found this on the web: bugtraq id 13050 object class Input Validation Error cve CAN-2005-1033 remote Yes local No published Apr 06, 2005 updated Apr 06, 2005 vulnerable Brooky CubeCart 2.0 .0 Brooky CubeCart 2.0.1 Brooky CubeCart 2.0.2 Brooky CubeCart 2.0.3 Brooky CubeCart 2.0.4 Brooky CubeCart 2.0.5 Brooky CubeCart 2.0.6 CubeCart is reported prone to multiple SQL injection vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input before using it in SQL queries. These issues affect the 'index.php', 'tellafriend.php', 'view_cart.php', and 'view_product.php' script. These vulnerabilities could permit remote attackers to pass malicious input to database queries, resulting in modification of query logic or other attacks. Successful exploitation could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation. This is not confirmed. The following examples are available: http://www.example.com/index.php?&PHPSESSID=' http://www.example.com/tellafriend.php?&product=' http://www.example.com/view_cart.php?add=' http://www.example.com/view_product.php?product=' Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>. Link below: http://www.securityfocus.com/bid/13050/info/ Wnayone know what this is about and how serious it is? Quote Link to comment Share on other sites More sharing options...
Guest Posted April 29, 2005 Share Posted April 29, 2005 This has been known for some time I think brooky fixed this in version 2.0.3 and later. Quote Link to comment Share on other sites More sharing options...
Guest Posted April 29, 2005 Share Posted April 29, 2005 The SQL injection exploits were first highlighted in 2.0.1 and were subsequently patched. I notice they list up to 2.0.6 and since the latest version is 2.0.7, hopefully all holes have now been fixed. Coincedentally, that was published on 6th April, so was 2.0.7, so that would make sense. In essence, make sure you have the latest version. Brooky was a bit slow to address some of these vulnerabilites at first, but now he really seems on the ball. Quote Link to comment Share on other sites More sharing options...
Guest Posted April 29, 2005 Share Posted April 29, 2005 If I have my CC installed through Fantastico in my cPanel, how/where do I upload the lastest version? Certainly not to my local PC.... Quote Link to comment Share on other sites More sharing options...
Guest twisted Posted April 29, 2005 Share Posted April 29, 2005 No......you DOWNLOAD the latest version to your local PC...and after unzipping it, then you upload it to the same place Fantastico placed your installation. Quote Link to comment Share on other sites More sharing options...
Guest twisted Posted April 29, 2005 Share Posted April 29, 2005 This is not confirmed. If they can't confirm it, then why the hell are they writing about it? Currently we are not aware of any vendor-supplied patches for this issue. How can you trust somebody that obviously ignorant..... [the author of the article, i mean] Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.