Security Advisories

ITT: We share 0day security vulnerabilities in public software.

Me first.

OsCommerce Newsletters & Subscribers Osc Addon (Download Link: http://addons.oscommerce.com/info/8540)
Vulnerable code:

newsletters_subscribe.php line 16:
$subscribers_info = tep_db_query("select subscribers_id from " . TABLE_SUBSCRIBERS . " where subscribers_email_address = '" . $HTTP_POST_VARS['Email'] . "' ");

There are various other points in the code where POST input is not sanitized allowing SQL injection.

ITT: We estimate how many billions of dollars SQL injections cost major companies each year. And then we produce a static typing system that completely eliminates the possibility of an SQL injection. And then we wounder why the world is so retarted.