Guest Posted May 31, 2010 Posted May 31, 2010 DESCRIPTION: Christopher Schramm has discovered a vulnerability in the Visitor Web Stats module for osCommerce, which can be exploited by malicious people to conduct SQL injection attacks. Input passed via the "Accept-Language" HTTP header to index.php is not properly sanitised before being used in SQL queries in includes/visitors_count.php. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The vulnerability is confirmed in version 3.2.1. Other versions may also be affected. SOLUTION: Edit the source code to ensure that input is properly sanitised (sic). -------------------------------------------------------------------- Has anyone done the necessary editing? Care to share the code?
demoalt Posted September 27, 2010 Posted September 27, 2010 Bug can be fixed by sanitizing the HTTP_ACCEPT_LANGUAGE variable Modify includes/visitors_count.php Look for : $b_lang = getenv('HTTP_ACCEPT_LANGUAGE'); then create a function to sanitize the b_lang value against SQL Injection (such forbidding values, keywords) and on on...; You have many scripts available to sanitize against SQL Injection on the web. Such as this one: http://www.dreamincode.net/code/snippet1428.htm /* Function: sql_sanitize( $sCode ) Description: "Sanitize" a string of SQL code to prevent SQL injection. Parameters: $sCode: The SQL code which you wish to sanitize. Example: mysql_query('UPDATE table SET value="' . sql_sanitize("' SET id='4'") . '" WHERE id="1"'); Requirements: PHP version 4 or greater */ function sql_sanitize( $sCode ) { if ( function_exists( "mysql_real_escape_string" ) ) { // If PHP version > 4.3.0 $sCode = mysql_real_escape_string( $sCode ); // Escape the MySQL string. } else { // If PHP version < 4.3.0 $sCode = addslashes( $sCode ); // Precede sensitive characters with a slash \ } return $sCode; // Return the sanitized code }
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.