Re: Multiple SQL injections and XSS in FishCart 3.1
I am the principal behind FishCart, discussed in the above advisory. I found
tonight after posting to bugtraq about another reported problem that this
previous bug is reported as unpatched.
As best we could determine the post from dcrab was not accurate regarding the
SQL injection claims. The original post at
http://www.securityfocus.com/archive/1/397484 shows invalid sql statements, not
sql injection. We found that the URL he had posted was not normal and turned
up a coding bug that explained the SQL errors, but there was no SQL injection.
We also had some trouble reproducing some of the XSS errors. That said, we
took the claims seriously and immediately went to work to improve error
hardening.
A fix was worked out among the developers and incorporated into the source in
mid May 2005. A version 3.x patch was derived from the source changes and sent
to the FishCart mailing list on May 21, 2005 for installed FishCarts. This
post can be seen at http://www.fishcart.org/archives/200505/msg00028.html. You
will need to log in with username 'speak', password 'friend' to see the post.
While we have continued to refine the process, we think it fair that the patch
has been available since that date.
Please update your advisory to reflect this information. If you have any
further questions please feel free to contact me at your convenience to verify
my identity or for further details on the fixes. Thank you for your attention
to this matter.
Michael Brennen
President, FishNet, Inc.
michael@xxxxxxxxxx
972.669.0041