CVE-2009-4571

Name of the Vulnerable Software and Affected Versions PhpShop version 0.8.1

Description The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via various parameters in different actions, including the module id parameter in an "admin/function list" action, the vendor id parameter in a "vendor/vendor form" action, the module id parameter in an "admin/module form" action, the user id parameter in an "admin/user form" action, the vendor category id parameter in a "vendor/vendor category form" action, the user id parameter in a "store/user form" action, the payment method id parameter in a "store/payment method form" action, the tax rate id parameter in a "tax/tax form" action, or the category parameter in a "shop/browse" action.

Recommendations For PhpShop version 0.8.1, consider disabling the SQL execution functionality for the mentioned parameters until a patch is available. Restrict access to the vulnerable actions, such as "admin/function list", "vendor/vendor form", "admin/module form", "admin/user form", "vendor/vendor category form", "store/user form", "store/payment method form", "tax/tax form", and "shop/browse", to minimize the risk of exploitation. Avoid using the parameters module id, vendor id, user id, vendor category id, payment method id, tax rate id, and category in the affected actions until the issue is resolved.