CartWeaver SQL Injection holes

The ColdFusion version of CartWeaver has some security vulnerabilities that were discovered. French security company FrSIRT has released an announcement about the holes, also stating that there are no known vendor patches available. Apparently CartWeaver v. version 2.16.11 and prior are affected (2.16.11 is the latest version). These are SQL injection holes, and it looks like they didn’t use cfQueryParam. This brings back the discussion that occurred in the comments of one of my recent posts. A couple of SQL server fans were telling me that you don’t really have to worry about SQL injection problems in SQL server, because “if your code is susceptible to SQL injection you’re screwed no matter what.” Well, what if you purchase a third party product like CartWeaver? Are you going to feel safe trusting their code, when SQL Server allows SQL injection of the multiple-queries-in-one-statement type? This is why Oracle, DB2 and others don’t allow multiple queries in one cfquery tag.