Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: YEHG Group (listsyehg.net)
Date: Sat Jul 25 2009 - 19:29:10 CDT
Thanks, I'll update the database of
On Sat, Jul 25, 2009 at 3:57 PM, SmOk3<smok3f00gmail.com> wrote:
> Original advisory at:
> Ref. [DSF-03-2009] IXXO Cart! Standalone and Joomla Component SQL Injection
> Vendor: IXXO Internet Solutions
> Status: Patched by vendor
> IXXO Cart!
> IXXO Cart is an extremely powerful php shopping cart and web site
> builder application. Designed from a marketing perspective, this
> ecommerce application is feature-packed, robust, scalable and easy to
> use. IXXO Cart Plus is the clear choice for serious merchants focused
> on rapidly and cost effectively deploying, managing and growing a
> successful web-based business.
> New users appreciate the easy-to-use tools designed to help set up
> their store quickly and effectively while experienced users love the
> ability to customize and manage our software to meet the needs of
> their growing business.
> This very known PHP store is vulnerable to SQL Injection on parent variable.
> Injecting a specific combination of SQL commands will execute the new
> SQL query and even provide sensitive database information that could
> help a malicious user to complete and enter a valid SQL injection
> Proof of concept
> A malicious user could manipulate SQL queries by injecting arbitrary
> SQL code and return private information.
> June 2, 2009 First contact by contact form
> June 17, 2009 Second contact by email
> June 17, 2009 Reply from vendor
> June 18, 2009 Vendor reported that only standalone version and
> Joomla 1.0.x component are vulnerable
> June 24, 2009 Vendor asked for more time to patch and warn their
> clients about this vulnerability
> June 25, 2009 Vendor released 188.8.131.52 and and updated demo versions
> on their site
> July 20, 2009 Third contact to check the status
> July 25, 2009 Advisory goes public
> Not yet published in any database
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/