[NewAngels Advisory #9] FreeWebshop - Cross Site Scripting & SQL Injection
Vulnerabilities
==========================================================================================

Vendor site => http://www.freewebshop.org/

Date:
Jun 15 2006

Version:
2.1

Credit:
=======
NewAngels Team (http://newangels-team.eu) - Discovered By LBDT

Description:
If you are looking for a free, simple and easy-to-use shopping cart script
to start your own private or commercial
webshop, then you've come to the right place. This is the home of
FreeWebshop.org, the free shopping cart script.

1.- Cross Site Scripting Vulnerability
=========================

Risk = MEDIUM

Affected file:
search.php

There're no filters to special chars, then an attacker can execute html
code.

Search is passed through index file, because that file load all other
scripts:

<form method=post action=index.php?page=browse>

Example:
http://www.site.com/FreeWebshop/index.php?page=browse&searchfor=[XSS]<http://www.site.com/FreeWebshop/index.php?page=browse&searchfor=%5BXSS%5D>


2.- SQL Injection Vulnerability
=====================

Risk = MEDIUM

Affected file:
details.php

Another case where special chars like quotes, etc, etc aren't filtered.
This's doing an injection...

Let's show u this part of code where var $prod has no any function to evade
an injection:

// read product details
$query = "select * from product where ID=" . $prod;
$sql = mysql_query($query) or die(mysql_error());

Example:
http://www.site.com/FreeWebshop/index.php?page=details&prod=[SQL]&cat=3&group=3<http://www.site.com/FreeWebshop/index.php?page=details&prod=%5BSQL%5D&cat=3&group=3>