Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Vulnerable to BLIND SQL injection


abirchall

Recommended Posts

Hi,

 

I'm running 2.2-MS2 and had installed a HackerGuardian logo on the website a few weeks back. Over the last week I've recieved a failure in the tests quoting the website was vulnerable to BLIND SQL injection. I've read previous posts specifically http://www.oscommerce.com/forums/index.php?showtopic=254708. Previous references on the forum/fixes seem to deal with country and zone codes and I checked to ensure my code for these was the most recent and correct.

 

However, HackerGuardian said the vulnerability is coming from the specials.php page. e.g. /specials.php?-=&listall=1+AND+1=1

 

I did make a slight change to my classes/split_page_results.php a while back to allow users to show all products...

 

if (isset($HTTP_GET_VARS['listall'])) {

if ($HTTP_GET_VARS['listall']==1) {

$max_rows = 10000;

}

}

 

I can obviously do a check to see if listall above is_numeric and catch such strings as 'listall=1+AND+1=1'. My question is how should the code react if 'listall=1+AND+1=1' is passed in? I can't see any difference in what is returned from the below and this is the most recent version of osCommerce which is persumably not vulnerable:

 

http://demo.oscommerce.com/product_info.php?products_id=1

 

http://demo.oscommerce.com/product_info.ph...ts_id=1+AND+1=1

 

 

 

Many thanks in advance,

 

A

Link to comment
Share on other sites

make sure whatever parameters have to do with database access are properly processed through the tep_db_prepare_input and tep_db_input functions. If you know the parameter is of type integer you can add a straight (int) cast.

 

You can also apply some filtering if you're concerned with the parameters propagating.

http://www.oscommerce.com/community/contributions,3656

 

But in general you need to validate the get parameters, forms etc properly. And that is dependent to what custom scripts you have.

Link to comment
Share on other sites

  • 2 years later...

I need to fix the possible blind sql injection for my product_info.php pages. I installed Security Pro a long time ago and everything was fine then. What happened? Can anyone help me figure this out? Thanks!! I have been looking for possibilities but I did the security code already.

Link to comment
Share on other sites

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

  • 4 weeks later...

what does that topic have to do with anything? i only inquired what the result of that particular command would be.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...