[VIM] Dragonfly Commerce disputes reports
Steven M. Christey
coley at mitre.org
Sun Jul 17 17:33:18 EDT 2005
Dragonfly Commerce has notified CVE of a dispute over some recent
Diabolic Crab posts on price modification and SQL injection.
Refs CAN-2005-2220 and CAN-2005-2221 below.
>Recently, we found numerous but identical reports by
>http://www.dbtech.org who claims to have found security holes in
>Dragonfly Commerce. This report is unfounded. The text shown in this
>report are results of error messages from the author typing in invalid
>category and product numbers which do not exist in the database
>therefore creating an error message from the server. Dragonfly
>Commerce does not allow for editing prices nor does it allow for
>viewing information about clients stored in the database except by the
>store owner and authorized staff as appointed in the store
>administration.
>
>We have not received nor have had any contact with the author of
>these "security reports". We have no knowledge of any hidden pricing
>and SQL vulnerablilties in our software. Had our clients experienced
>any security vulnerabilities, they would have reported them to us
>giving us the opportunity to update the software. We handle work
>with each of our clients individually and quickly. Anyone finding
>any discrepencies should contact info at incredibleinteractive.com
- Steve
======================================================
Candidate: CAN-2005-2220
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2220
Reference: BUGTRAQ:20050712 Dragonfly Shopping Cart Multiple vulnerabilities
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=112121930328341&w=2
Reference: MISC:http://www.digitalparadox.org/viewadvisories.ah?view=46
Reference: SECTRACK:1014451
Reference: URL:http://securitytracker.com/id?1014451
** DISPUTED ** Dragonfly Commerce allows remote attackers to change a
product price by modifying the x_DragonflyCartProductPrice hidden
field to (1) dc_Categorieslist.asp, (2) dc_Categoriesview.asp, (3)
dc_productslist.asp, and (4) dc_productslist_Clearance.asp. NOTE: the
vendor has disputed this issue, saying that "Dragonfly Commerce does
not allow for editing prices nor does it allow for viewing information
about clients stored in the database except by the store owner and
authorized staff as appointed in the store administration."
======================================================
Candidate: CAN-2005-2221
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2221
Reference: BUGTRAQ:20050712 Dragonfly Shopping Cart Multiple vulnerabilities
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=112121930328341&w=2
Reference: MISC:http://www.digitalparadox.org/viewadvisories.ah?view=46
Reference: SECTRACK:1014451
Reference: URL:http://securitytracker.com/id?1014451
** DISPUTED ** Multiple SQL injection vulnerabilities in Dragonfly
Commerce allows remote attackers to modify SQL statements and possibly
execute arbitrary SQL commands via the (1) key parameter to
dc_Categoriesview.asp, (2) dc_productslist_Clearance.asp, (3) PID
parameter to ratings.asp, (4) dc_Productsview.asp, (5) start, (6)
key_mp, (7) searchtype, or (8) psearch parameters to
dc_forum_Postslist.asp. NOTE: the vendor has disputed this issue,
saying that the error messages arise from invalid category and product
numbers.
More information about the VIM
mailing list