SecurityvulnsSECURITYVULNS:DOC:12113ecotwo Shopsystem vuln.
ecotwo Shopsystem vuln.
###############################################
Vuln. discovered by : r0t
Date: 9 april 2006
vendor:http://www.i-webshop.de/6-0-shopsysteme.html
affected versions: 1.0-192 and previous
orginal advisory:
http://pridels.blogspot.com/2006/04/ecotwo-shopsystem-vuln.html
###############################################
Vuln. description:
Input passed to the "lang" parameter in "news.php" and other files isn't
properly verified, before it is used to include files. This can be exploited
to include arbitrary files from local resources.
###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/