PHPShop & VirtueMart SQL Injection Vulnerabilities & Unsafe Method Usage
PHPShop & VirtueMart
PHPShop versions prior to 0.8.1 and VirtueMart versions prior to VirtueMart 1.0.11.
Both independent open source projects.
Both vendors released new versions to patch the main vulnerabilities.
2007.04.30 - Vendors Notified
2007.06.14 - VirtueMart release version 1.0.11 to patch SQL Injection vulnerability.
2007.07.04 - PHPShop release version 0.8.1 to patch SQL Injection vulnerability.
Seperate SQL injection issues were discovered in both PHPShop and VirtueMart - both are undisclosed owing to the sensitive nature of data on these applications. Both systems also make unsafe use of MySQL's Encode() & Decode() functions which are shown to be vulnerable to a known plaintext attack.