QuickEStore 7.9 vuln.

QuickEStore 7.9 vuln.

###############################################
Vuln. discovered by : r0t
Date: 25 april 2006
vendorlink:www.quickestore.com
affected versions:7.9 and previous
orginal advisory:http://pridels.blogspot.com/2006/04/quickestore-79-vuln.html
###############################################

Vuln. Description:

1. SQL Injection vuln.

QuickEStore contains a flaw that allows a remote sql injection
attacks.Input passed to the "OrderID" parameter in
"shipping.cfm","checkout.cfm" and input passed to the "ItemID"
parameter in "proddetail.cfm" and input passed to the "SubCatID"
parameter in "index.cfm" and input passed to the "CategoryID"
parameter in "prodpage.cfm" isn't properly sanitised before being used
in a SQL query and Input passed to the "ProdID" parameter in
"Details.cfm" isn't properly sanitised before being used in a SQL
query. This can be exploited to manipulate SQL queries by injecting
arbitrary SQL code.

examples:

/prodpage.cfm?CFID=&CFTOKEN=&CategoryID=[SQL]
/index.cfm?CFID=1&CFTOKEN=1&SubCatID=[SQL]
/proddetail.cfm?CFID=1&CFTOKEN=1&ItemID=[SQL]
/checkout.cfm?CFID=&CFTOKEN=&OrderID=[SQL]
/shipping.cfm?CFID=&CFTOKEN=&OrderID=[SQL]

2. Full Path Disclosure.

The problem is that it is possible to disclose the full path to the
installation by supplying an invalid parameter of those file
paremeters wich are affected to sql injection attacks(look at 1
vuln.).

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################
More information @ unsecured-systems.com/forum/