The latest version from Bisente looks like it might carry a SQL Injection bug in it.
Anyone more familiar with it please let me know if I am wrong.
In rss.php line around line 88 find
// Create SQL statement
$category = $_GET['cPath'];
$ecommerce = $_GET['ecommerce'];
if ($category != '') {
// Check to see if we are in a subcategory
if (strrpos($category, '_') > 0) {
$category = substr($category, strrpos($category, '_') + 1, strlen($category));
}
$catTable = ", products_to_categories pc ";
$catWhere = 'p.products_id = pc.products_id AND pc.categories_id = \'' . $category . '\' AND ';
}
at line 88, $_GET['cPath'] is not sanitized and is passed straight to the database.
Change line 88 to this and it should no longer be vulnerable to exploits by way of this sql injection.
$category = preg_replace('/[^0-9_]/', '', $_GET['cPath']);
You may be able to get the same kinds of results with tep_db_output, but tep_db_output only encodes 5 characters, where the preg_replace above specifically removes anything that is not 0-9 or an underscore. thus greatly limiting the valid input.