Re: EarlyImpact ProductCart shopping cart software multiple security vulnerabilities
In-Reply-To: <40331EF8.6000700@xxxxxxxxxxxx>
Regarding: S-Quadra Advisory #2004-02-16
http://www.securityfocus.com/archive/1/354288/2004-02-15/2004-02-21/0
S-Quadra was given specific information about available fixes and other
comments related to the alleged security vulnerabilities. Yet they decided not
to post any of them. This behavior seems highly unprofessional.
The following is Early Impact's official response to the alleged
vulnerabilities concerning the company's ProductCart ecommerce software.
-- Vulnerability 1: Incorrect use of cryptography
Early Impact official response: Vulnerability 1 cannot be exploited since
vulnerability 2 and 3 have been addressed. Nevertheless, Early Impact is
further investigating the issue and will look at alternative uses of
cryptography for future versions of ProductCart.
-- Vulnerability 2: SQL Injection vulnerability
Early Impact official response: Vulnerability 2 was addressed with the Security
Patch released on 01.30.2004, which is available for download at no charge from
http://www.earlyimpact.com/productcart/support/ - This vulnerability does not
apply to ProductCart v2.53 and above. All users of ProductCart v2.52 and below
were notified of this security issue and of the availability of the
corresponding Security Patch upon its release.
-- Vulnerability 3: Cross Site Scripting vulnerability in 'Custva.asp'
Early Impact official response: Vulnerability 3 was addressed with the Security
Patch released on 01.30.2004, which is available for download at no charge from
http://www.earlyimpact.com/productcart/support/ - This vulnerability does not
apply to ProductCart v2.53 and above. All users of ProductCart v2.52 and below
were notified of this security issue and of the availability of the
corresponding Security Patch upon its release.
If you need additional information, please contact Early Impact at
info@xxxxxxxxxxxxxxx