Information
--------------------
Name : SQL Injection Vulnerability in Batavi
Software : Batavi 1.1.2 and possibly below.
Vendor Homepage : http://www.batavi.org
Vulnerability Type : SQL Injection
Severity : Critical
Researcher : Onur Yılmaz
Advisory Reference : NS-12-003

Description
--------------------
Batavi is an open source e-commerce platform.

Details
--------------------

Batavi is affected by a SQL Injection vulnerability in version 1.1.2..


Example PoC url is as follows :http://example.com/ajax.php (POST - Param: boxToReload)

Solution
--------------------
The vendor fixed this vulnerability in the new version. Please see the references.

Advisory Timeline
--------------------
05/12/2011 - First contact: Sent the vulnerability details
19/12/2011 - Second contact: Ask for patch
18/01/2012 - Vulnerability Fixed in latest version
24/01/2012 - Vulnerability Released

Credits
--------------------
It has been discovered on testing of Netsparker, Web Application Security Scanner.

References
--------------------