Primo Cart SQL inj.

Primo Cart SQL inj.

Vuln. discovered by : r0t
Date: 2 jan. 2006
orginal advisory:http://pridels.blogspot.com/2006/01/primo-cart-sql-inj.html
vendor:www.primoplace.com/primo-cart.htm
affected version:1.0 and prior

Product Description:

Primo Cart is a fully customizable turnkey shopping cart solution that
enables any novice to advance level merchant to execute and manage
their very own storefront fast and easy. The administration area
interface is design with CSS for a clean look/feel and new AJAX
technology for fast product management made easy. Coupled with the
robust Smarty template engine, changes to the look/feel can be
performed directly via FTP. Backend by MySQL and optimized for fast
product querying. Supports Authorize.net and dynamic shipping cost
lookup via UPS Online Tools, unlimited products, unlimited category
nesting, unlimited custom fields, options/variances, product images,
product rating/reviews, and unique category meta tags. The advance
product import tool takes in a CSV file for mass imports. Primo cart
offers free updates and community support to keep your cart tuned and
in shape.

Vuln. Description:

Primo Cart contains a flaw that allows a remote sql injection
attacks.Input passed to the "q" parameter in "search.php" and "email"
parameter in "user.php" isn't properly sanitised before being used in
a SQL query. This can be exploited to manipulate SQL queries by
injecting arbitrary SQL code

poc.

/user.php?email=[SQL]&action=send-password-now
/search.php?action=search&q=[SQL]

Solution:
Edit the source code to ensure that input is properly sanitised.