TUCoPS :: HP Unsorted M :: b06-5689.htm

Mega Mall
Mega Mall
Mega Mall 


vendor site: http://products.kaonsoftwares.com/ 
product: mega-mall
bug:injection sql & full path disclosure
language: asp 
risk: high

injection sql (get):
http://site.com/mega-mall/product_review.php?t=[sql] 
http://site.com/mega-mall/product_review.php?t=0&productId=[sql] 
http://site.com/mega-mall/product_review.php?t=0&productId=1004&sk=[sql] 
http://site.com/mega-mall/product_review.php?t=0&productId=1004&t=0&x=[sql] 
http://site.com/mega-mall/product_review.php?t=0&productId=1004&sk=USERID&so=[sql] 

injection sql (post) :
http://site.com/mega-mall/order-track.php 
Variables:
/mega-mall/order-track.php?Enter=1&orderNo=[sql]

full path dislosure: 
http://site.com/mega-mall/product_review.php?t=0&productId=1004&t=0&x[] 

laurent gaffi=E9 & benjamin moss=E9
http://s-a-p.ca/ 
contact: saps.audit@gmail.com

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH