CVE-2006-2827

Name of the Vulnerable Software and Affected Versions X-Cart Gold and Pro versions 4.0.18 through 4.1.0 beta 1

Description The issue allows remote attackers to execute arbitrary SQL commands via the "Search for pattern" field in search.php, when the settings specify only "Search in Detailed description" and "Search also in ISBN." The vendor disputed this issue, stating that it does not impose any security threat and remote attackers cannot add, modify, or delete information in the back-end database by sending specially-crafted SQL statements to the search.php script using various search parameters.

Recommendations For X-Cart Gold and Pro versions 4.0.18 through 4.1.0 beta 1, consider restricting access to the search.php script or disabling the "Search in Detailed description" and "Search also in ISBN" settings until a patch is available. As a temporary workaround, avoid using the "Search for pattern" field in the search.php script until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.