Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Security Question


NodsDorf

Recommended Posts

we had a customer online on the page of

 

customer_testimonials.php?testimonial_id=99999+union+select+1,2,concat(customers_lastname,0x3a,customers_p

assword,0x3a,customers_email_address),4,5,6,7,8+from+customers/*

 

 

This looks very much like a SQL query, however the link that was displayed on our site was simply of that to write a testimonial. It looks very suspicious to me so I did ban the IP. I am wondering however, if this is something I should be concerned with.

Link to comment
Share on other sites

Its an sql injection attack, many versions of customer_testimonials are vunerable, I wouls advise installing Security Pro as a minimum http://addons.oscommerce.com/info/5752

 

 

http://www.oscommerce.com/forums/index.php?showtopic=313323

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

Thanks Sam,

 

I could have sworn that I had Security Pro installed already, but after looking it was not. I have installed the contribution. Another quick question, is there a way to test that it is protecting? I just entered that URL above and it still goes to the customer_testimonial.php page.

Link to comment
Share on other sites

Thanks Sam,

 

I could have sworn that I had Security Pro installed already, but after looking it was not. I have installed the contribution. Another quick question, is there a way to test that it is protecting? I just entered that URL above and it still goes to the customer_testimonial.php page.

 

 

what can they do to the testimonial page? couldnt you just delete what they wrote?

Link to comment
Share on other sites

Thanks Sam,

 

I could have sworn that I had Security Pro installed already, but after looking it was not. I have installed the contribution. Another quick question, is there a way to test that it is protecting? I just entered that URL above and it still goes to the customer_testimonial.php page.

 

 

It has nothing to with the target page, but the sql commands that can be executed.

 

to test put

[w](o)%3Cr%3Ek|i*n^g

in the url

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

what can they do to the testimonial page? couldnt you just delete what they wrote?

 

No, if the command is actually executed what they get is a list of your customers, with passwords & e-mail, they wont bother to write anything!!

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...