A-Cart SQL Injection And Cross-Site Scripting

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: A-Cart SQL Injection And Cross-Site Scripting
From: Advisory@xxxxxxxxxxxxxxxxx, "[ NO REPLY ]"@securityfocus.com
Date: 19 Oct 2007 02:49:10 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

__________________________

A R I A - S E C U R I T Y 
___________________________
A-Cart SQL Injection And Cross-Site Scripting 
http://alanward.net

Cross Site Scripting:
http://localhost/path/error.asp?msg=XSS

SQL Injection:
http://localhost/path/product.asp?productid=' SQL COMMAND

Table Names are:
categories
customers
orderitems
orders
products
users (username,fullname,password,privileges)

Credits Goes To Aria-Security Team 
http://Aria-Security.Net
The-0utl4w

Prev by Date: [SECURITY] [DSA 1390-1] New t1lib packages fix arbitrary code execution
Next by Date: [CAID 35754]: CA Host-Based Intrusion Prevention System (CA HIPS) Server Vulnerability
Previous by thread: [SECURITY] [DSA 1390-1] New t1lib packages fix arbitrary code execution
Next by thread: Re: A-Cart SQL Injection And Cross-Site Scripting
Index(es):
- Date
- Thread