ViArt Shop 4.0.5 - Multiple Vulnerabilities

EDB-ID:

15572

CVE:





Platform:

PHP

Date:

2010-11-19


# Title: [ViArt SHOP multiple vulnerabilities]
# Date: [18.11.2010]
# Author: [Ariko-Security]
# Software Link: [http://www.viart.com]
# Version: [4.0.5]


============ { Ariko-Security - Advisory #2/11/2010 } =============

ViArt SHOP multiple vulnerabilities

Vendor's Description of Software and demo:
# http://demo-shop.viart.com/ & http://www.viart.com

Dork:
# N/A

Application Info:
# ViArt SHOP
# version last 4.0.5

Vulnerability Info:
# Type: multiple SQL injections, multiple XSS, multiple iFrame injections, multiple link injections , redirector abuse.

Time Table:
# 10/11/2010 - Vendor notified.
# 18/11/2010 - Vendor released fix (partial)

Fix: 
# http://www.viart.com/update_logic_to_increase_site_security_and_fix_xss-compatibility_issues.html

SQL injections:

Input passed via the "rnd" parameter to products_search.php is not properly
sanitised before being used in a SQL query.
Input passed via the "filter" parameter to products.php is not properly
sanitised before being used in a SQL query.

XSS, iFrame Injections, Link injections:


Input passed to the "search_category_id" and "category_id" parameters in ads.php is not properly
sanitised before being returned to the user.

Input passed to the "category_id" parameter in article.php and articles.php is not properly
sanitised before being returned to the user.

Input passed to the "rp" parameter in basket.php and product_details.php is not properly
sanitised before being returned to the user.

Input passed to the "postal_code" parameter in shipping_calculator.php is not properly
sanitised before being returned to the user.

Input passed to the "s_fds" , "s_tit" ,"s_cod" parameters in search.php is not properly
sanitised before being returned to the user.

Input passed to the "s_sds" parameter in ads_search.php is not properly
sanitised before being returned to the user.

URL redirector ABUSE:

user_profile.php vulnerable parameter "return_page"


Solution:
# Input validation of all vulnerable parameters should be corrected.

Credit:
# Discoverd By: Ariko-Security 2010
Advisory:
# http://advisories.ariko-security.com/november/audyt_bezpieczenstwa_746.html