QuadComm e-commerce solutions

Q-Shop
Overview Features Benefits Demo Transactions Order FAQ Lite vs. Pro Resellers Testimonials Client's sites Forum Requirements News Support Downloads Merchandise

QuadComm
About us Contact us Internet News Books ASP Tips

Newsletter »

Search

Injection attack vulnerability in browse.asp

VERSIONS AFFECTED

Q-Shop Pro and Lite v3.5.0 and 3.5.1.

DETAILS

It would be possible to provide a link to a Q-Shop store and make it display customer data using the OrderBy field.

RESOLUTION

Follow this simple steps:

1. Edit browse.asp and where it says:

Dim OrderBy, QryOrderBy, sqlOrderBy
'Read value from Query String
OrderBy = Request("OrderBy")

Change it to:

Dim OrderBy, QryOrderBy, sqlOrderBy
'Read value from Query String
OrderBy = Request("OrderBy")

If NOT (OrderBy = "Name" OR OrderBy = "Price") Then OrderBy = ""

This will only accept supported values for this parameter and ignore any other.

BUY Q-SHOP NOW!

Benefits
Customize the look of your shop easily with Q-Shop themes. Learn more »

Featured Book
How to Develop a Landing Page that Closes the Sale