vendor site:http://www.candypress.com/
product:CandyPress Store
bug:injection sql
risk:medium



injection sql (get) :

http://site.com/sa3.5.2.14/scripts/openPolicy.asp?policy='[sql]
http://site.com/sa3.5.2.14/scripts/prodList.asp?brand='[sql]


laurent gaffié & benjamin mossé
http://s-a-p.ca/
contact: saps.audit@gmail.com