[NEWS] Alabanza AlaCart SQL Injection Vulnerability
From: SecuriTeam (support_at_securiteam.com)
Date: 11/30/03
- Previous message: SecuriTeam: "[NEWS] Multiple Remote Issues in Applied Watch IDS Suite"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 30 Nov 2003 14:46:39 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Alabanza AlaCart SQL Injection Vulnerability
------------------------------------------------------------------------
SUMMARY
AlaCart a web based shopping cart engine, by <http://alabanza.com/>
Alabanza a company specialized in web hosting automation, allows a remote
attacker to insert malicious SQL code into the authentication process,
allowing them to bypass it and gain administrative privileges to the
product.
DETAILS
Vulnerable systems:
* AlaCart version 1.0 (Released on 18 Feb 1999)
When accessing the directory /admin/ a user is required to enter a
username and password, by supplying the following username and password
combination:
'or''='
It is possible to bypass the authentication mechanism.
Vendor status:
We (SecurITeam) tried contacting the vendor, which was hard to locate, and
haven't received a response. We tried again using the web forms, but
haven't received an answer as well. Note that is product version was last
released in 1999, it is unclear whether this is abandon-ware or an active
product (Alabanza's web site doesn't contain a link to the product).
ADDITIONAL INFORMATION
The information has been provided by <mailto:robertdiandro@mailup.net>
Robert diandro.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NEWS] Multiple Remote Issues in Applied Watch IDS Suite"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [NT] Netegrity SiteMinder smpwservicescgi.exe Target Redirection
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Due to improper filtering
of user provided data, a remote attacker can ... This allows an attacker to redirect
the user to whatever site ... (Securiteam) - [NT] WebArchiveX Unsafe Methods Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... String userAgent,
... scripting' entry, but unfortunately has not changed the version number. ...
(Securiteam) - [NEWS] IBM Net.Data Macro Name Cross-Site Scripting Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... The vulnerability
is caused due to an input validation error in the db2www ... The vendor recommends that
the "DTW_DEFAULT_ERROR_MESSAGE" feature (or ... (Securiteam) - [NEWS] TRUSTe.org Cross Site Scripting and Phishing Opportunities
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... and guidance of many established
companies and industry experts, TRUSTe ... (Securiteam) - [NT] Cross Site Scripting in Yet Another Forum.net
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Cross Site Scripting
vulnerabilities were found in Yet Another Forum.net, ... This bulletin is sent to members
of the SecuriTeam mailing list. ... (Securiteam)
