Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Declare Hack


daninjapan

Recommended Posts

Posted

Has anyone noticed the declare hack in the 'who's online' feature recently? It seems i'm being hit with it every day. The URL looks something like this:

 

/?;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204

 

I've been reading about it, and it seems it is a hack that is trying to get into your SQL database to plant things in there.

Is the oscommerce script protected against this hack, or is ther any updates available for this?

Posted

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Posted

I have put the following in my htaccess file:

 

RewriteCond %{QUERY_STRING} ^.*(;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC]

RewriteRule .* - [F]

 

Can anyone see any problems with this rewrite?

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...