Our site www.viart.com site is operated by latest Viart Shop 5 with default Clear design
Topic Information
There was found a vulnerability that allowed posting SQL injections.
Download the file below
Extract 'filter_functions.php' into 'includes' folder of your shop replacing an existing file. Just in case make a copy of previous file.
I noticed this file is dated 06/19/2013 but the notice was posted to the forum on 11/06/2013. If I upgraded to 4.1 in September 2013, which file should be used? The one included with the upgrade or this one?
My host will take my website off line if there are scripts that aren't updated against things like SQL Injections, etc.
I am on Version 4.2 Enterprise. Is there a script that I can use to update?
Site Lock is what we use for security of our website, and we have one SQL Injection finding, and a "fail to adequately sanitize request strings", and finally a directory traversal (write access) issue.
In order, the scripts involved seem to be:
1. SQL Injection in "products_search.php" and many of the parameters in the script.
2. Also with "Products_search.php" there is a possible 'command execution (time based)' among many of the parameters again.
3. Directory Traversal issue with the 'items' parameter in 'compare.php', 'page.php', 'posteddata.php', 'slider_type' parameter in index.php. This seems to be related to sanitize request strings.
I'm hoping there's a fix for these scripts. We try to do good, but the hackers are always ready to ruin our work!
Please write a ticket to support with the SQL injection findings, the full report if possible. If there is anything to fix we will post a patch in the forum afterwords.