Re: Multiple SQL injections and XSS in FishCart 3.1

[michael () fishnet us]

I am the principal behind FishCart, discussed in the above advisory.  I found tonight after posting to bugtraq about 
another reported problem that this previous bug is reported as unpatched.

As best we could determine the post from dcrab was not accurate regarding the SQL injection claims.  The original post 
at http://www.securityfocus.com/archive/1/397484 shows invalid sql statements, not sql injection.  We found that the 
URL he had posted was not normal and turned up a coding bug that explained the SQL errors, but there was no SQL 
injection.  We also had some trouble reproducing some of the XSS errors.  That said, we took the claims seriously and 
immediately went to work to improve error hardening.

A fix was worked out among the developers and incorporated into the source in mid May 2005.  A version 3.x patch was 
derived from the source changes and sent to the FishCart mailing list on May 21, 2005 for installed FishCarts.  This 
post can be seen at http://www.fishcart.org/archives/200505/msg00028.html.  You will need to log in with username 
'speak', password 'friend' to see the post.  While we have continued to refine the process, we think it fair that the 
patch has been available since that date.

Please update your advisory to reflect this information.  If you have any further questions please feel free to contact 
me at your convenience to verify my identity or for further details on the fixes.  Thank you for your attention to this 
matter.

   Michael Brennen
   President, FishNet, Inc.
   michael () fishnet us
   972.669.0041