ECTouch SQL Injection Scanner
Detects 'SQL Injection' vulnerability in ECTouch 2.
Short Info
Level
Critical
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
20 days 7 hours
Scan only one
URL
Toolbox
-
ECTouch 2 is a popular mobile e-commerce platform utilized by businesses looking to provide an ordering and purchasing experience on mobile devices. Designed for flexibility, it allows developers to extend its capabilities through various modules and plugins. Typically used by online retailers looking to expand into mobile commerce, ECTouch is deployed across websites that handle numerous transactions. Its user-friendly interface is popular among web development professionals catering to clients in e-commerce. The platform is utilized by both small to medium-sized enterprises and large retailers, supporting a wide variety of merchandise categories and transaction volumes.
SQL Injection is a critical vulnerability that allows attackers to interfere with the queries that an application makes to its database. By exploiting SQL injection flaws, attackers can bypass application security measures. They can retrieve or modify database data, including sensitive information of users and site administrators. This flaw essentially permits unauthorized access and manipulation of database content. It can lead to data theft, data corruption, or even complete control over the application, depending on the attacker’s objectives. SQL Injection remains a prevalent and high-risk vulnerability, especially in older or poorly maintained web applications.
The SQL Injection vulnerability in ECTouch 2 is located within the 'asynclist' handler which does not sanitize input parameters correctly. An attacker can exploit this flaw by sending specially crafted requests that include SQL payloads directly to the database. The parameter 'price_max' is among those vulnerable to injection as it lacks validation and allows direct relational manipulation through SQL. This vector can introduce malicious queries, potentially revealing protected information or affecting stored data integrity negatively. By crafting inputs carefully, attackers can achieve persistent access to unauthorized data or administrative commands.
When exploited, the SQL Injection vulnerability in ECTouch 2 can lead to unauthorized data access or manipulation, severely impacting data integrity and confidentiality. Malicious actors can potentially harvest sensitive user information, which may include passwords, personal user data, and credit card details. Beyond data theft, attackers can corrupt or delete data, which might disrupt business operations. Even worse, executing administrative-level operations could lead to complete site compromise. Organizations facing such vulnerabilities might experience financial loss, reputational damage, or legal complications resulting from data breaches.
REFERENCES
