Quick.Cart General.PHP Local File Include Vulnerability

Prometheus

2007-07-19 02:41

I receive this from my newsletter http://www.watchmouse.com/...

Is that true?

[]s

------------------
Quick.Cart General.PHP Local File Include Vulnerability

5 Jun 2007
Quick.Cart is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

Exploiting this issue may allow an unauthorized user to view files and execute local scripts.

Quick.Cart 2.2 is vulnerable; other versions may also be affected.
-----------------

» Quick.Cart v2.x

http://vidanaweb.ykyu.com

Prometheus

2007-07-19 02:48

LOOK THAT!

http://search.securityfocus.com/swsearch?sbm=%2F&metaname=alldoc&query=quick.cart&x=0&y=0

http://vidanaweb.ykyu.com

treewood (OpenSolution)

2007-07-19 09:18

Prometheus - most of this "bugs" are fixed some time ago. Some "bugs" are fake because for example there is "SQL Injection". It is fake because Quick.Cart is not based on SQL database.
Another problem is that sites with this "bugs reporting" when we sent them email that this bug was fixed in x.x version they dont change this bugs info. And it is still there without any notification that this bug was fixed in x.x version.

Please read change log to know more fixes we made:
http://opensolution.org/download/Quick.Cart/changeLog.txt

About this bug You written:
http://downloads.securityfocus.com/vulnerabilities/exploits/24299.php

We will find solution

treewood (OpenSolution)

2007-07-19 09:58

Prometheus - fast solution for this "bug" is.
Edit config/general.php
Find: if( isset( $_COOKIE['sLanguage'] ) )
change to: if( isset( $_COOKIE['sLanguage'] ) && strlen( $_COOKIE['sLanguage'] ) == 2 )

It will fix problem to include other files then en.php, pl.php, nl.php etc from lang/ directory.

Prometheus

2007-07-19 15:25

OK! Tks Man!

So...Can i trust in this shop to install for my clients?

This "Bugs" are solved properly?

Sorry for my poor english...

Thanks! This support and Quick.Cart is Great!