ProductCart Shopping Cart Software Forums : Security Questions on v4.7 https://forum.productcart.com/ Copyright (c) 2006-2013 Web Wiz Forums - All Rights Reserved. Sat, 11 Apr 2026 00:37:21 +0000 Wed, 30 Apr 2014 14:16:25 +0000 http://blogs.law.harvard.edu/tech/rss Web Wiz Forums 12.04 360 https://forum.productcart.com/RSS_post_feed.asp?TID=5881 <![CDATA[ProductCart Shopping Cart Software Forums]]> https://forum.productcart.com/forum_images/pc_logo_50.png https://forum.productcart.com/ <![CDATA[Security Questions on v4.7 : I would recommend writing to them...]]> https://forum.productcart.com/security-questions-on-v4-7_topic5881_post22064.html#22064 Author: Greg Dinger
Subject: 5881
Posted: 30-April-2014 at 2:16pm

I would recommend writing to them at info AT productcart.com]]> Wed, 30 Apr 2014 14:16:25 +0000 https://forum.productcart.com/security-questions-on-v4-7_topic5881_post22064.html#22064 <![CDATA[Security Questions on v4.7 : I don&#039;t have their license...]]> https://forum.productcart.com/security-questions-on-v4-7_topic5881_post22063.html#22063 Author: Scurit
Subject: 5881
Posted: 29-April-2014 at 10:16pm

I don't have their license number at this time, can I still create a ticket?]]> Tue, 29 Apr 2014 22:16:35 +0000 https://forum.productcart.com/security-questions-on-v4-7_topic5881_post22063.html#22063 <![CDATA[Security Questions on v4.7 : Yes, that is exactly correct....]]> https://forum.productcart.com/security-questions-on-v4-7_topic5881_post22062.html#22062 Author: Matt
Subject: 5881
Posted: 29-April-2014 at 9:56pm

Yes, that is exactly correct.  There is a debug variable that is probably commented out.

Can you open a ticket to continue this conversation since it may involve sensitive information?
]]> Tue, 29 Apr 2014 21:56:55 +0000 https://forum.productcart.com/security-questions-on-v4-7_topic5881_post22062.html#22062 <![CDATA[Security Questions on v4.7 : I was recently contacted by a...]]> https://forum.productcart.com/security-questions-on-v4-7_topic5881_post22061.html#22061 Author: Scurit
Subject: 5881
Posted: 29-April-2014 at 8:57pm

I was recently contacted by a client that uses your system and has another party that regularly does Nessus vulnerability scans on their network/systems. This week then sent me some information and I verified that it was indeed valid -on their site. I was unable to reproduce the same result on your demo site which raises a few questions Dead. They said they are running a fully patched system and it is the latest version, but without access to their actual system I can not verify that for a fact yet. I'm hoping to get access to their system here shortly as well as the server it resides on.

The first issue that was detected was a SQL Injection/information disclosure vulnerability in the opc_OrderVerify.asp, and when I followed the steps in the report, I was indeed able to reproduce and get the results in the report. it dumped out a debug of the following (not posting the "how", just the results):

 SELECT payTypes.paymentDesc, customCardTypes.idcustomCardType FROM payTypes INNER JOIN customCardTypes ON payTypes.paymentDesc = customCardTypes.customCardDesc WHERE (((payTypes.idPayment)=123 or));

The second item was a XSS vulnerability in  the same file as well as the msgb.asp file (I won't post the details here either - you can msg me for that). 

I'm not an expert on ProductCart by any means - just security with a background in classic asp. What I would like to know is, is it possible there is a debug feature that needs to be turned off somewhere in one of the asp files (which I didn't see in the demo admin screens) and how could their site have a XSS vulnerability and the demo site not show the same behavior if they are running the same version? Server script/security settings possibly? Can you tell me anything else that might affect their system and make it act differently than your demo? Thanks in advance! 
]]> Tue, 29 Apr 2014 20:57:25 +0000 https://forum.productcart.com/security-questions-on-v4-7_topic5881_post22061.html#22061