IPA/ISEC：Vulnerabilities：Security Alert for EC-CUBE Vulnerability

EC-CUBE from LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE is vulnerable to SQL injection due to a problem in data transmission handling between EC-CUBE and its database.

When exploited, a remote attacker could gain administrator privilege and access to personal information stored in the EC-CUBE system.

For the latest information, please refer to:
http://jvndb.jvn.jp/en/contents/2008/JVNDB-2008-000065.html

When a remote attacker attempts an SQL injection attack against an online shopping website created by EC-CUBE, the attacker may gain administrator privilege and access to personal information stored in the EC-CUBE system.

To fix the problem, update the software to the latest version provided by the vendor.

The vulnerability was reported to IPA by the vendor on August 28, 2008. JPCERT Coordination Center (JPCERT/CC) coordinated with the vendor and published the vulnerability on October 1, 2008.

IPA hopes the product vendors will proactively use JVN^(*1) as an effective tool to keep security-aware users informed about vulnerability found in their products.

(1)Evaluation Result

(2) Base Score Metrics

■:Selected Values

SQL Injection (CWE-89)

(*1)Japan Vulnerability Notes. A vulnerability countermeasure information portal operated by IPA and JPCERT/CC. It provides vulnerability countermeasure information on the IT products used in Japan to support implementation of security measures in the information systems.
http://jvn.jp/en/

IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)
E-mail: