OScommerce: "Additional Images" Module SQL Injection

[Parikesit]

Hi all,

 

When I searching trough google, I found this article "OScommerce: "Additional Images" Module SQL Injection": http://www.opencommercio.com/Article169.html.

 

So, you all should update the code like below instruction....

 

Hello!

Doing forensics in an hacked shop system we found the following vulnerability in the "Additional Images" Module of OScommerce from "Author: zaenal <zaenal AT paramartha.org>. Find more detailed information here: [url="http://www.oscommerce.com/community/contributions,1032"]http://www.oscommerce.com/community/contributions,1032[/url]

Description:

If a anonymous remote user changes the value of 'products_id' when he gets "product_info.php" he is able to insert SQL Code in an SQL Query, if the module in question is installed.

Impact:

An attacker might read out parts or the whole of the database.

Code:

the following code on line 16 in SHOPROOT/catalog/includes/modules/ additional_images.php doesn't check the value of the "products_id" variable.

$images_product = tep_db_query("SELECT additional_images_id, products_id, images_description, medium_images, popup_images FROM " . TABLE_ADDITIONAL_IMAGES . " WHERE products_id = '" . $HTTP_GET_VARS ['products_id'] . "'");

Solution:

Contact the author/vendor.

Workaround:

Change line 16 in SHOPROOT/catalog/includes/modules/ additional_images.php to:

$images_product = tep_db_query("SELECT additional_images_id, products_id, images_description, medium_images, popup_images FROM " . TABLE_ADDITIONAL_IMAGES . " WHERE products_id = '" . (int) $HTTP_GET_VARS['products_id'] . "'");

thanks to the guy who found the log entry in question.

bye
defa