<input type="hidden" name="settingCONF_ENABLE_CONFIRMATION_CODE" value="1">
<input type="hidden" name="setting_DATEFORMAT" value="DD.MM.YYYY">
<input type="hidden" name="setting_CONF_STOREFRONT_TIME_ZONE" value="51">
<input type="hidden" name="setting_CONF_FIRST_WEEKDAY" value="0">
<input type="hidden" name="settingCONF_DEFAULT_TITLE_ru" value="klyne">
<input type="hidden" name="settingCONF_DEFAULT_TITLE_en" value="klyne - Online Store">
<input type="hidden" name="settingCONF_HOMEPAGE_META_KEYWORDS_ru" value="">
<input type="hidden" name="settingCONF_HOMEPAGE_META_KEYWORDS_en" value="">
<input type="hidden" name="settingCONF_HOMEPAGE_META_DESCRIPTION_ru" value="">
<input type="hidden" name="settingCONF_HOMEPAGE_META_DESCRIPTION_en" value="">
<input type="hidden" name="settingCONF_GOOGLE_MAPS_API_KEY" value="">
2. BACKGROUND
CubeCart is an "out of the box" ecommerce shopping cart software
solution which has been written to run on servers that have PHP &
MySQL support. With CubeCart you can quickly setup a powerful online
store which can be used to sell digital or tangible products to new
and existing customers all over the world.
3. VULNERABILITY DESCRIPTION
2. BACKGROUND
CubeCart is an "out of the box" ecommerce shopping cart software
solution which has been written to run on servers that have PHP &
MySQL support. With CubeCart you can quickly setup a powerful online
store which can be used to sell digital or tangible products to new
and existing customers all over the world.
3. VULNERABILITY DESCRIPTION
[HSC] Smart-Shop Shopping Cart Cross-Site Scripting Vulrnability
SMART-SHOP shopping cart software is a all-in-one hosted e-commerce solution
that creates and helps you maintain your online store fast, easy, and cost-effective.
Many people using this software must be warned that there are holes in the application.
An attacker may leverage this issue to have arbitrary script code
execute in the browser of an unsuspecting user in the context of the affected site.
This may help the attacker steal cookie-based authentication credentials and launch
other attacks.
##########################################################
Description:
CS-Cart Cart is a full featured online ecommerce application written
in php that allows users to build, run and promote an online store.
There is unfortunately a fairly serious SQL Injection issue within
CS-Cart that can be used to easily take over user and administrator
accounts, as well as used to retrieve arbitrary data from the database.
The CS-Cart team have released an updated version of CS-Cart to resolve
this issue, and users should upgrade as soon as possible.
Description:
Zen Cart is a full featured open source ecommerce web application
written in php that allows users to build, run and promote their
own online store. Unfortunately there are multiple SQL Injection
issues in Zen Cart that may allow an attacker to execute arbitrary
SQL queries on the underlying database. This may allow for an attacker
to gather username and password information, among other things. An
updated version of Zen Cart has been released to address these
issues and users are encouraged to upgrade as soon as possible.
Description
-----------
Interspire Shopping Cart (ISC) is ecommerce software that includes everything you need to start, run, promote and profit from your online store. It combines easy-to-customize store designs with marketing tools proven to significantly increase your sales.
In v4.0.1, ISC suffers from an authentication bypass problem. This allows anyone to login to ISC's control panel without knowing the administrator's password.
The problem is with ``class.auth.php``'s ``ProcessLogin`` function. This function sets a HTTPOnly cookie flag ``RememberToken`` too early in the process, even before the user is authenticated. A malicious user could force ``ProcessLogin`` to set this cookie by ticking on ``Remember me`` at the login page, entering targeted username such as ``admin``, and anything as password. This first attemp will fail, but the cookie is already set, and ready to authenticate him/her to the control panel.
While testing our AcuSensor technology on different applications, I’ve
found a real-life example of a vulnerable application. I’m talking
about Zen Cart.
Zen Cart is an open source online store management system. It is
PHP-based, using a MySQL database and HTML components. Support is
provided for several languages and currencies, and it is freely
available under the GNU General Public License.
Zen Cart contains a directory named extras where there are different
###################################################################################
####################
- Description:
####################
The CandyPress eCommerce suite acts as the command center of your online store. Powerful and versatile, yet easy to use and intuitive, it enables you to easily manage and administrate your orders, product catalog, shipping rates, locations, product reviews, customers and much more.
####################
- Vulnerability:
####################
Remote user can see all databases fields (there are a lot of encrypted credit cards), also there are XSS and Path Disclosure bugs too.
>
>
> Description:
> Zen Cart is a full featured open source ecommerce web application
> written in php that allows users to build, run and promote their
> own online store. Unfortunately there are multiple SQL Injection
> issues in Zen Cart that may allow an attacker to execute arbitrary
> SQL queries on the underlying database. This may allow for an attacker
> to gather username and password information, among other things. An
> updated version of Zen Cart has been released to address these
> issues and users are encouraged to upgrade as soon as possible.
