OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: EarlyImpact ProductCart shopping cart software multiple security vulnerabilities

From: Massimo Arrigoni (infoearlyimpact.com)
Date: Wed Feb 18 2004 - 11:27:32 CST


In-Reply-To: <40331EF8.6000700s-quadra.com>

Regarding: S-Quadra Advisory #2004-02-16
http://www.securityfocus.com/archive/1/354288/2004-02-15/2004-02-21/0

S-Quadra was given specific information about available fixes and other comments related to the alleged security vulnerabilities. Yet they decided not to post any of them. This behavior seems highly unprofessional.

The following is Early Impact's official response to the alleged vulnerabilities concerning the company's ProductCart ecommerce software.

-- Vulnerability 1: Incorrect use of cryptography

Early Impact official response: Vulnerability 1 cannot be exploited since vulnerability 2 and 3 have been addressed. Nevertheless, Early Impact is further investigating the issue and will look at alternative uses of cryptography for future versions of ProductCart.

-- Vulnerability 2: SQL Injection vulnerability

Early Impact official response: Vulnerability 2 was addressed with the Security Patch released on 01.30.2004, which is available for download at no charge from http://www.earlyimpact.com/productcart/support/ - This vulnerability does not apply to ProductCart v2.53 and above. All users of ProductCart v2.52 and below were notified of this security issue and of the availability of the corresponding Security Patch upon its release.

-- Vulnerability 3: Cross Site Scripting vulnerability in 'Custva.asp'

Early Impact official response: Vulnerability 3 was addressed with the Security Patch released on 01.30.2004, which is available for download at no charge from http://www.earlyimpact.com/productcart/support/ - This vulnerability does not apply to ProductCart v2.53 and above. All users of ProductCart v2.52 and below were notified of this security issue and of the availability of the corresponding Security Patch upon its release.

If you need additional information, please contact Early Impact at infoearlyimpact.com