NodsDorf Posted July 1, 2009 Share Posted July 1, 2009 we had a customer online on the page of customer_testimonials.php?testimonial_id=99999+union+select+1,2,concat(customers_lastname,0x3a,customers_p assword,0x3a,customers_email_address),4,5,6,7,8+from+customers/* This looks very much like a SQL query, however the link that was displayed on our site was simply of that to write a testimonial. It looks very suspicious to me so I did ban the IP. I am wondering however, if this is something I should be concerned with. Link to comment Share on other sites More sharing options...
spooks Posted July 1, 2009 Share Posted July 1, 2009 Its an sql injection attack, many versions of customer_testimonials are vunerable, I wouls advise installing Security Pro as a minimum http://addons.oscommerce.com/info/5752 http://www.oscommerce.com/forums/index.php?showtopic=313323 Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
NodsDorf Posted July 1, 2009 Author Share Posted July 1, 2009 Thanks Sam, I could have sworn that I had Security Pro installed already, but after looking it was not. I have installed the contribution. Another quick question, is there a way to test that it is protecting? I just entered that URL above and it still goes to the customer_testimonial.php page. Link to comment Share on other sites More sharing options...
bluebikerboy1 Posted July 1, 2009 Share Posted July 1, 2009 Thanks Sam, I could have sworn that I had Security Pro installed already, but after looking it was not. I have installed the contribution. Another quick question, is there a way to test that it is protecting? I just entered that URL above and it still goes to the customer_testimonial.php page. what can they do to the testimonial page? couldnt you just delete what they wrote? Link to comment Share on other sites More sharing options...
spooks Posted July 1, 2009 Share Posted July 1, 2009 Thanks Sam, I could have sworn that I had Security Pro installed already, but after looking it was not. I have installed the contribution. Another quick question, is there a way to test that it is protecting? I just entered that URL above and it still goes to the customer_testimonial.php page. It has nothing to with the target page, but the sql commands that can be executed. to test put [w](o)%3Cr%3Ek|i*n^g in the url Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
spooks Posted July 1, 2009 Share Posted July 1, 2009 what can they do to the testimonial page? couldnt you just delete what they wrote? No, if the command is actually executed what they get is a list of your customers, with passwords & e-mail, they wont bother to write anything!! Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
FIMBLE Posted July 1, 2009 Share Posted July 1, 2009 No, if the command is actually executed what they get is a list of your customers, with passwords & e-mail, they wont bother to write anything!! Not even thanks? :-) Sometimes you're the dog and sometimes the lamp post [/url] My Contributions Link to comment Share on other sites More sharing options...
bluebikerboy1 Posted July 2, 2009 Share Posted July 2, 2009 Not even thanks? :-) i didnt even know about this. thank you for the heads up. im going to talk to my tech guy to see if im safe. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.