<<< Date Index >>>     <<< Thread Index >>>

Re: Multiple SQL injections and XSS in FishCart 3.1



I am the principal behind FishCart, discussed in the above advisory.  I found 
tonight after posting to bugtraq about another reported problem that this 
previous bug is reported as unpatched.

As best we could determine the post from dcrab was not accurate regarding the 
SQL injection claims.  The original post at 
http://www.securityfocus.com/archive/1/397484 shows invalid sql statements, not 
sql injection.  We found that the URL he had posted was not normal and turned 
up a coding bug that explained the SQL errors, but there was no SQL injection.  
We also had some trouble reproducing some of the XSS errors.  That said, we 
took the claims seriously and immediately went to work to improve error 
hardening.

A fix was worked out among the developers and incorporated into the source in 
mid May 2005.  A version 3.x patch was derived from the source changes and sent 
to the FishCart mailing list on May 21, 2005 for installed FishCarts.  This 
post can be seen at http://www.fishcart.org/archives/200505/msg00028.html.  You 
will need to log in with username 'speak', password 'friend' to see the post.  
While we have continued to refine the process, we think it fair that the patch 
has been available since that date.

Please update your advisory to reflect this information.  If you have any 
further questions please feel free to contact me at your convenience to verify 
my identity or for further details on the fixes.  Thank you for your attention 
to this matter.

   Michael Brennen
   President, FishNet, Inc.
   michael@xxxxxxxxxx
   972.669.0041