October 1, 2008
Information-technology Promotion Agency, Japan (IPA, Chairman Koji Nishigaki) has issued the Security Alert for EC-CUBE Vulnerability on October 1, 2008.
This vulnerability allows a remote attacker to execute arbitrary SQL statements on a vulnerable system. When exploited, the attacker could gain administrator privilege and access to personal information stored in the EC-CUBE system.
To fix the problem, update to the latest version provided by the vendor.
EC-CUBE from LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE is vulnerable to SQL injection due to a problem in data transmission handling between EC-CUBE and its database.
When exploited, a remote attacker could gain administrator privilege and access to personal information stored in the EC-CUBE system.
For the latest information, please refer to:
When a remote attacker attempts an SQL injection attack against an online shopping website created by EC-CUBE, the attacker may gain administrator privilege and access to personal information stored in the EC-CUBE system.
To fix the problem, update the software to the latest version provided by the vendor.
The vulnerability was reported to IPA by the vendor on August 28, 2008. JPCERT Coordination Center (JPCERT/CC) coordinated with the vendor and published the vulnerability on October 1, 2008.
IPA hopes the product vendors will proactively use JVN(*1) as an effective tool to keep security-aware users informed about vulnerability found in their products.
(CVSS base score)
|CVSS base score||7.5|
|AV:Access Vector||□ Local||□ Adjacent
|AC:Access Complexity||□ High||□ Medium||■ Low|
|Au:Authentication||□ Multiple||□ Single||■ None|
|C:Confidentiality Impact||□ None||■ Partial||□ Complete|
|I:Integrity Impact||□ None||■ Partial||□ Complete|
|A:Availability Impact||□ None||■ Partial||□ Complete|
(*1)Japan Vulnerability Notes. A vulnerability countermeasure information portal operated by IPA and JPCERT/CC. It provides vulnerability countermeasure information on the IT products used in Japan to support implementation of security measures in the information systems.
IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)