I am the principal behind FishCart, discussed in the above advisory. I found tonight after posting to bugtraq about another reported problem that this previous bug is reported as unpatched.
As best we could determine the post from dcrab was not accurate regarding the SQL injection claims. The original post at http://www.securityfocus.com/archive/1/397484 shows invalid sql statements, not sql injection. We found that the URL he had posted was not normal and turned up a coding bug that explained the SQL errors, but there was no SQL injection. We also had some trouble reproducing some of the XSS errors. That said, we took the claims seriously and immediately went to work to improve error hardening. A fix was worked out among the developers and incorporated into the source in mid May 2005. A version 3.x patch was derived from the source changes and sent to the FishCart mailing list on May 21, 2005 for installed FishCarts. This post can be seen at http://www.fishcart.org/archives/200505/msg00028.html. You will need to log in with username 'speak', password 'friend' to see the post. While we have continued to refine the process, we think it fair that the patch has been available since that date. Please update your advisory to reflect this information. If you have any further questions please feel free to contact me at your convenience to verify my identity or for further details on the fixes. Thank you for your attention to this matter. Michael Brennen President, FishNet, Inc. [EMAIL PROTECTED] 972.669.0041
