edit-icon download-icon

[Vulnerability notice] Web SQL injection vulnerability in comment_manage.php in ECshop

Last Updated: May 07, 2018

Description

ECshop is an independent B2C online shop system for businesses and individuals to quickly build personalized online stores. The system is based on PHP + MySQL, and developed as a cross-platform open source program.

ECshop does not impose strict filtering policies for some parameters. Attackers can construct a malicious request to start web SQL injection attacks on the website, further steal the website data, or even break into the server.

Affected versions

All versions of ECshop

Fix

  • If your website has had ECshop test data installed, delete the two default backend accounts (shhaigonghu1o1 and bjgonghuo1) in the test data with an immediate effect.

  • Using Alibaba Cloud Security Web Application Firewall can intercept the attacking code targeting this vulnerability.

  • Stay tuned for the latest patches to be released on the ECshop official website.

Thank you! We've received your feedback.