Phpshop is a PHP based e-business program that can easily extend Web functionality. Phpshop There are multiple security issues that remote attackers can use to attack the database, gain sensitive information, and execute arbitrary scripting code.
The specific questions are as follows:
1. SQL Injection Vulnerability:
There is also a problem with injecting "product_id" and "offset" variables when there is an SQL injection problem when updating the session, and you can modify the original SQL logic by submitting a malicious SQL command to the "page" variable.
2, the user information Leakage vulnerability:
A large amount of customer information can be obtained by querying the "Account/shipto" module. If the user is logged on as a legal account, the administrator information may also be viewed. This information includes the customer's address, company name, and so on.
3. Cross-station script execution attack:
Multiple parameters lack adequate filtering for user-submitted URI parameters, and submitting data containing malicious HTML code can lead to Cross-site scripting attacks and potentially sensitive information for targeted users.
At present, the manufacturer has not provided a patch or upgrade program.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
