designcraft Posted September 10, 2010 Share Posted September 10, 2010 (edited) I haven't heard back from SM yet so this is all I know. Possible blind sql injection on https://domain.com/shop/checkout_shipping.php?osCsid=78aee66e909a6dacdeb923ec74de4e5b wp --bsql "https://domain.com/shop/checkout_shipping.php?osCsid=78aee66e909a6dacdeb923ec74de4e5b" "https://domain.com/shop/checkout_shipping.php?osCsid=78aee66e909a6dacdeb923ec74de4e5b+and+1%3D1" "https://domain.com/shop/checkout_shipping.php?osCsid=78aee66e909a6dacdeb923ec74de4e5b+and+1%3D0" cat <<EOF > bsql.sh curl -L -k "https://domain.com/shop/checkout_shipping.php?osCsid=78aee66e909a6dacdeb923ec74de4e5b+and+1%3D1"> a curl -L -k "https://domain.com/shop/checkout_shipping.php?osCsid=78aee66e909a6dacdeb923ec74de4e5b+and+1%3D0"> b diff a b EOF s h bsql.s h This website may have other injection related vulnerabilities. Edited September 10, 2010 by designcraft Quote Link to comment Share on other sites More sharing options...
designcraft Posted September 10, 2010 Share Posted September 10, 2010 They sent this. What does this mean? :~$ curl -L -k "https://domain.com/shop/checkout_shipping.php?osCsid=78aee66e909a6dacdeb923ec74de4e5b+and+1%3D1"> a % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 22118 0 22118 0 0 30199 0 --:--:-- --:--:-- --:--:-- 30199 :~$ curl -L -k "https://domain.com/shop/checkout_shipping.php?osCsid=78aee66e909a6dacdeb923ec74de4e5b+and+1%3D0"> b % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 22118 0 22118 0 0 32090 0 --:--:-- --:--:-- --:--:-- 32090 :~$ diff a b 106c106 Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted September 10, 2010 Author Share Posted September 10, 2010 Looking in to it. Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
designcraft Posted September 10, 2010 Share Posted September 10, 2010 Looking in to it. Thank you very much! I really appreciate it! :) Quote Link to comment Share on other sites More sharing options...
designcraft Posted September 10, 2010 Share Posted September 10, 2010 This is the string :~$ curl -L -k "https://domain.com/shop/checkout_shipping.php?osCsid=78aee66e909a6dacdeb923ec74de4e5b+and+1%3D1"> a :~$ curl -L -k "https://domain.com/shop/checkout_shipping.php?osCsid=78aee66e909a6dacdeb923ec74de4e5b+and+1%3D0"> b :~$ diff a b Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted September 10, 2010 Author Share Posted September 10, 2010 (edited) Can't see any injection possibilities here with security pro enabled. The proposed injection querystring: - https://domain.com/s...e4e5b+and+1%3D0 becomes: - [osCsid] => 78aee66e909a6dacdeb923ec74de4e5b and 10 the other becomes: - [osCsid] => 78aee66e909a6dacdeb923ec74de4e5b and 11 Edited September 10, 2010 by FWR Media Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
designcraft Posted September 10, 2010 Share Posted September 10, 2010 Do you need the actual store's domain name or does this most likely mean a false positive again? Thanks again! Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted September 10, 2010 Author Share Posted September 10, 2010 Do you need the actual store's domain name or does this most likely mean a false positive again? Thanks again! PM me the domain .. we ought to check it. Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
♥FWR Media Posted September 10, 2010 Author Share Posted September 10, 2010 Do you need the actual store's domain name or does this most likely mean a false positive again? Thanks again! Checked your site and it's fine. 1) Security Pro reduces the querystring back to harmless characters. [a-z0-9\-_\.{}] 2) osCommerce recognises that it is not a sane osCsid and redirects the "attacker" to index.php. Nothing even mildly close to an injection happening there. Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
designcraft Posted September 10, 2010 Share Posted September 10, 2010 Checked your site and it's fine. 1) Security Pro reduces the querystring back to harmless characters. [a-z0-9\-_\.{}] 2) osCommerce recognises that it is not a sane osCsid and redirects the "attacker" to index.php. Nothing even mildly close to an injection happening there. Your fast response and help is well appreciated. May I ask you what you did to check this? Thanks again. :) Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted September 10, 2010 Author Share Posted September 10, 2010 (edited) Your fast response and help is well appreciated. May I ask you what you did to check this? Thanks again. :) 1) Log in as a user 2) Add a product to cart 3) Proceed to checkout_shipping.php 4) In firefox .. view cookie and copy the osCsid VALUE Modify the url in the top bar by adding ?osCsid=[VALUE_GOT_FROM_COOKIE]+and+1%3D1 So it will look something like .. www.mysite.com/shop/checkout_shipping.php?osCsid=[VALUE_GOT_FROM_COOKIE]+and+1%3D1 Run it and you are redirected to index.php Edited September 10, 2010 by FWR Media Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
designcraft Posted September 10, 2010 Share Posted September 10, 2010 How will I know if it is bad? Will I be redirected somewhere else? Thanks again! Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted September 10, 2010 Author Share Posted September 10, 2010 (edited) How will I know if it is bad? Will I be redirected somewhere else? Thanks again! Security scanners generally only know if they have hit on a hack vector when they force the application to issue an error. A possibility ( and only a possibility ) is that the scanner saw that by adding the code that it did it was served an entirely different page and took this to mean that it had "forced" the application to do something where the reality is that the script identified a bad action and redirected the "user" as a consequence. Edited September 10, 2010 by FWR Media Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
designcraft Posted September 10, 2010 Share Posted September 10, 2010 So I wouldn't be able to see it only the security scanners? If there is an error, then some code needs adjusting? I know its not that easy but I just want to understand this a bit more. Thanks again! Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted September 10, 2010 Author Share Posted September 10, 2010 (edited) So I wouldn't be able to see it only the security scanners? If there is an error, then some code needs adjusting? I know its not that easy but I just want to understand this a bit more. Thanks again! I added to the post above yours which you probably haven't seen. I really can't tell you any more at this stage, but no .. the scanner sees nothing you don't to my knowledge. Edited September 10, 2010 by FWR Media Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
designcraft Posted September 10, 2010 Share Posted September 10, 2010 Oh I see. :) Well thank you so much for your quick responses to everything. If there is anything that I could help you out with I would be more than happy to. Have a great weekend. :) Quote Link to comment Share on other sites More sharing options...
normanlamps Posted October 21, 2010 Share Posted October 21, 2010 (edited) Is it possible to change the search query "/" to a blank space. I found that if a search is made like "product/ab" aka "product%2Fab" it will not show the product, if you search for "product ab" aka "product+ab" it returns the correct product with its name of "product/ab". Other than excluding the search results page would this make sense to adjust? Is there another way? I understand the need to not weaken the security, although I've been unable to locate any modification to the code like suggested. Thanks in advance, appreciate any help. It's written in the instructions .. security pro zealously restricts the values obtained from the querystring to .. \s{}a-zA-Z0-9_.- Anything other than that will be stripped. If your code is passing other characters you should modify it so that it no longer does. Your only other option is to weaken the security, which I don't recommend. Edited October 21, 2010 by normanlamps Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted October 21, 2010 Author Share Posted October 21, 2010 Is it possible to change the search query "/" to a blank space. I found that if a search is made like "product/ab" aka "product%2Fab" it will not show the product, if you search for "product ab" aka "product+ab" it returns the correct product with its name of "product/ab". Other than excluding the search results page would this make sense to adjust? Is there another way? I understand the need to not weaken the security, although I've been unable to locate any modification to the code like suggested. Thanks in advance, appreciate any help. If you want to weaken security you can .. in my opinion there is no need or reason to include / in a search querystring. Yes what you suggest could be done if isolated to that particular file .. but Security Pro is global so makes no concessions for individual files. Being a "whitelist" is its power. Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
normanlamps Posted October 22, 2010 Share Posted October 22, 2010 Unfortunately almost all of our products have a "/" in their name. Is there any particular code we can modify to simply fix the problem, or is excluding the file the only option. We don't want to exclude the file, we only want to know what codes need to be changed as you suggested. We wouldn't know where to begin with actually modifying the site. We assume it would be a modification to the search tool itself. Security Pro seems to be helping a lot and is a very useful add-on, although its difficult to justify its use when so many customers search queries contain "/" and no results show. Again we certainly do appreciate any help that you may offer, Thank you. Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted October 22, 2010 Author Share Posted October 22, 2010 Unfortunately almost all of our products have a "/" in their name. Is there any particular code we can modify to simply fix the problem, or is excluding the file the only option. We don't want to exclude the file, we only want to know what codes need to be changed as you suggested. We wouldn't know where to begin with actually modifying the site. We assume it would be a modification to the search tool itself. Security Pro seems to be helping a lot and is a very useful add-on, although its difficult to justify its use when so many customers search queries contain "/" and no results show. Again we certainly do appreciate any help that you may offer, Thank you. It shouldn't be hard to justify its use .. it's obvious .. it whitelists the characters allowed in the querystring which especially is essential with the plethora of badly coded contributions for osCommerce. If you want to introduce banned characters then you have to exclude the file and do the security checks yourself in that file. Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
RMD27 Posted October 22, 2010 Share Posted October 22, 2010 Nice work! Another one for the excludes list - redirect.php. Product urls to external sites break with SecurityPro on but the passed url is checked by redirect.php against the legitimate url for the product so redirect.php can be safely excluded. HTH Chris Hi Chris Thanks for putting this info up, exactly what I was looking for! :thumbsup: Quote Link to comment Share on other sites More sharing options...
Halcyon56 Posted November 3, 2010 Share Posted November 3, 2010 After installing SecurityPro and carefully following all instructions I get the following error, either when trying to run/install the SecurityPro_install.php file or just when I try to acces my oscommerce store: Fatal error: Call to a member function add_current_page() on a non-object in /home/graficai/public_html/estore/includes/application_top.php on line 332 Line 332 reads as follows: $navigation->add_current_page(); Any help will be appreciated. TIA Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted November 3, 2010 Author Share Posted November 3, 2010 After installing SecurityPro and carefully following all instructions I get the following error, either when trying to run/install the SecurityPro_install.php file or just when I try to acces my oscommerce store: Fatal error: Call to a member function add_current_page() on a non-object in /home/graficai/public_html/estore/includes/application_top.php on line 332 Line 332 reads as follows: $navigation->add_current_page(); Any help will be appreciated. TIA $navigation->add_current_page(); Is a osCommerce issue not one of Security Pro. Just close all browser windows and then open a new one browsing directly to the install file. Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
Halcyon56 Posted November 3, 2010 Share Posted November 3, 2010 $navigation->add_current_page(); Is a osCommerce issue not one of Security Pro. Just close all browser windows and then open a new one browsing directly to the install file. Thanks, I might have done that inadvertently because all of a "sudden" it works. Thanks for clearing things up. Quote Link to comment Share on other sites More sharing options...
tigergirl Posted November 8, 2010 Share Posted November 8, 2010 (edited) In the contribution it says: your querystring should be safe as long as the contribution/code calls application_top.php I checked and found a few files that don't have require('includes/application_top.php'); Presumably one needs to add this? Can it basically go in any file or would it just be files in the route? Is is as simple as just adding that inside php tags at the top of the file? Also, I noticed one file has require("includes/application_top.php"); is that the same as require('includes/application_top.php'); Just curious to ensure I'm catching everything..... Edited November 8, 2010 by tigergirl Quote I'm feeling lucky today......maybe someone will answer my post! I do try and answer a simple post when I can just to give something back. ------------------------------------------------ PM me? - I'm not for hire Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.