defa Posted October 6, 2005 Share Posted October 6, 2005 Hello! Doing forensics in an hacked shop system we found the following vulnerability in the "Additional Images" Module of OScommerce from "Author: zaenal <zaenal AT paramartha.org>. Find more detailed information here: http://www.oscommerce.com/community/contributions,1032 Description: If a anonymous remote user changes the value of 'products_id' when he gets "product_info.php" he is able to insert SQL Code in an SQL Query, if the module in question is installed. Impact: An attacker might read out parts or the whole of the database. Code: the following code on line 16 in SHOPROOT/catalog/includes/modules/additional_images.php doesn't check the value of the "products_id" variable. $images_product = tep_db_query("SELECT additional_images_id, products_id, images_description, medium_images, popup_images FROM " . TABLE_ADDITIONAL_IMAGES . " WHERE products_id = '" . $HTTP_GET_VARS['products_id'] . "'"); Solution: Contact the author/vendor. Workaround: Change line 16 in SHOPROOT/catalog/includes/modules/additional_images.php to: $images_product = tep_db_query("SELECT additional_images_id, products_id, images_description, medium_images, popup_images FROM " . TABLE_ADDITIONAL_IMAGES . " WHERE products_id = '" . (int)$HTTP_GET_VARS['products_id'] . "'"); thanks to the guy who found the log entry in question. bye defa Quote Link to comment Share on other sites More sharing options...
Guest Posted October 12, 2005 Share Posted October 12, 2005 can you demonstrate how an attacker can read the whole dbase from this code: $images_product = tep_db_query("SELECT additional_images_id, products_id, images_description, medium_images, popup_images FROM " . TABLE_ADDITIONAL_IMAGES . " WHERE products_id = '" . $HTTP_GET_VARS['products_id'] . "'"); because the selection is for the TABLE_ADDITIONAL_IMAGES unless you have sensitive information stored with the images I cannot see why the int cast will make a difference preventing or giving access to the dbase. Quote Link to comment Share on other sites More sharing options...
kgt Posted October 12, 2005 Share Posted October 12, 2005 (edited) www.mydomain.com/somefile.php?id=1 %20UNION%20SELECT%20customers_phone,%20customers_id, %20customers_firstname,%20customers_lastname, %20customers_email_address%20from%20customers (without line breaks) Wouldn't get you much as it is, since the customers fields would be typecast to the products fields, but if you had the time, you could possibly glean stuff out. This url will pull information out of the customers table, even though the coded query is for products only. Of course it would require MySQL 4.x or later. Edited October 12, 2005 by kgt Quote Contributions Discount Coupon Codes Donations Link to comment Share on other sites More sharing options...
Guest Posted October 12, 2005 Share Posted October 12, 2005 (edited) right, and that goes back to sql injection issues, that may affect every script in the catalog if the input is not properly validated. application_top.php pretty much at the beginning: if(isset($HTTP_GET_VARS['products_id']) ) { if( !is_numeric($HTTP_GET_VARS['products_id']) ) exit(); // or redirect somewhere } and of course validation using an array for the various data types & input variables will be more appropriate. Edited October 12, 2005 by enigma1 Quote Link to comment Share on other sites More sharing options...
Nerf-Herder Posted March 2, 2008 Share Posted March 2, 2008 I'm a completely new at this, but would like to ask a stupid question: I don't have "Additional Images" installed, but I get hit with injections 5 to 15 times daily, and those are just the ones I catch. All of them originating from IPs belonging to ISPs in Toronto CA. I'm blocking IPs when I catch it, but I have no idea what's going on. My question is: Are these attacks successful event though Additional Images isn't installed? If not, why is this happening so frequently? What, if anything, can be done to spot it? OK, that's more than one question. Sorry. I'm just a little freeked about it. Chat.ru Land.ru something-or-theer.lv My wife is Russian, and she says that nothing looks too odd about the sites, but it sure ain't right. What do we do? :'( Thanx for any help you can provide. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.