Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: EarlyImpact ProductCart shopping cart software multiple security vulnerabilities

From: Massimo Arrigoni <info () earlyimpact com>
Date: 18 Feb 2004 17:27:32 -0000
In-Reply-To: <40331EF8.6000700 () s-quadra com>

Regarding: S-Quadra Advisory #2004-02-16
http://www.securityfocus.com/archive/1/354288/2004-02-15/2004-02-21/0

S-Quadra was given specific information about available fixes and other comments related to the alleged security 
vulnerabilities. Yet they decided not to post any of them. This behavior seems highly unprofessional.

The following is Early Impact's official response to the alleged vulnerabilities concerning the company's ProductCart 
ecommerce software.


-- Vulnerability 1: Incorrect use of cryptography

Early Impact official response: Vulnerability 1 cannot be exploited since vulnerability 2 and 3 have been addressed. 
Nevertheless, Early Impact is further investigating the issue and will look at alternative uses of cryptography for 
future versions of ProductCart.


-- Vulnerability 2: SQL Injection vulnerability

Early Impact official response: Vulnerability 2 was addressed with the Security Patch released on 01.30.2004, which is 
available for download at no charge from http://www.earlyimpact.com/productcart/support/ - This vulnerability does not 
apply to ProductCart v2.53 and above. All users of ProductCart v2.52 and below were notified of this security issue and 
of the availability of the corresponding Security Patch upon its release. 


-- Vulnerability 3: Cross Site Scripting vulnerability in 'Custva.asp'

Early Impact official response: Vulnerability 3 was addressed with the Security Patch released on 01.30.2004, which is 
available for download at no charge from http://www.earlyimpact.com/productcart/support/ - This vulnerability does not 
apply to ProductCart v2.53 and above. All users of ProductCart v2.52 and below were notified of this security issue and 
of the availability of the corresponding Security Patch upon its release. 

If you need additional information, please contact Early Impact at info () earlyimpact com
Previous By Date Next
Previous By Thread Next

Current thread: