|
|
|
|
| |
| AlaCart a web based shopping cart engine, by Alabanza a company specialized in web hosting automation, allows a remote attacker to insert malicious SQL code into the authentication process, allowing them to bypass it and gain administrative privileges to the product. |
| |
Credit:
The information has been provided by Robert diandro.
|
| |
Vulnerable systems:
* AlaCart version 1.0 (Released on 18 Feb 1999)
When accessing the directory /admin/ a user is required to enter a username and password, by supplying the following username and password combination:
'or''='
It is possible to bypass the authentication mechanism.
Vendor status:
We (SecurITeam) tried contacting the vendor, which was hard to locate, and haven't received a response. We tried again using the web forms, but haven't received an answer as well. Note that is product version was last released in 1999, it is unclear whether this is abandon-ware or an active product (Alabanza's web site doesn't contain a link to the product).
|
|
|
|
|
|
|
|
|
|
