Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

osCommerce 2.3.4.1 - 'reviews_id' SQL Vulnerabilities


vanzantz

Recommended Posts

Posted

Reviewing a site I am working and using sql map I am getting a postiive hit for $_GET['reviews_id'] in the product_reviews_info.php file.

Examining the flagged file it's using typecasting with (int) on the instances with the get request and the parameter.

This does not appear to be resolving the positive hit for the sql injection.

Are there any tips on how to address with this platform? mysql_real_escape(); ?

Researching for a fix I see this vulnerability being reported:

https://www.exploit-db.com/exploits/46330

https://www.nmmapper.com/st/exploitdetails/46330/40818/oscommerce-2341-reviews_id-sql-injection/

 

 

Posted

Neither of those links work - please check and repost. 

Contributions: Better Together and Quantity Discounts for osCommerce 2.3.x and Phoenix. See my profile for more details.

Posted

Weird.  I could swear it didn't work yesterday when I tried that.  

Contributions: Better Together and Quantity Discounts for osCommerce 2.3.x and Phoenix. See my profile for more details.

  • 1 month later...
Posted
On 8/10/2019 at 10:54 AM, vanzantz said:

Reviewing a site I am working and using sql map I am getting a postiive hit for $_GET['reviews_id'] in the product_reviews_info.php file.

Examining the flagged file it's using typecasting with (int) on the instances with the get request and the parameter.

This does not appear to be resolving the positive hit for the sql injection.

Are there any tips on how to address with this platform? mysql_real_escape(); ?

Researching for a fix I see this vulnerability being reported:

https://www.exploit-db.com/exploits/46330

https://www.nmmapper.com/st/exploitdetails/46330/40818/oscommerce-2341-reviews_id-sql-injection/

 

 

Was there a fix for this issue?  

Posted

I am guessing the security 2.3.4 and 2.3.4.1 BS  issues are resolved by Phoenix?

Posted
On 8/10/2019 at 1:54 PM, vanzantz said:

Are there any tips on how to address with this platform? mysql_real_escape(); ?

mysql_real_escape is deprecated.  Casting to int is superior, but the recommended way would be to change to parameterized queries via something like PDO. 

Phoenix deprecated product reviews, so it wouldn't have this particular issue. 

Always back up before making changes.

  • 2 weeks later...
Posted

Hello everyone  I am trying to find a ROOT PASSWORD to try and get my OSCOMMERCE download to work through the MySql program I have on my computer and it asks for a root password and I just don't know what it could be...

Posted

@inrifoundation

installation is the same regardless of whether you install it on your local server, or your host's server ...

Malcolm

PS: Hijacking a thread (changing the subject within the thread) is poor form. Please start a new thread with your question.

PPS: Since you are doing a clean install, please be sure to use the Community Edition 'Phoenix' version of osC (link in my signature), and not the 'official' release. The 'official' release is very much out of date.

Posted

@vanzantz those two exploit reports are from the same bloke and they are not verified. I think they are wrong, he doesn't understand what a boolean-based sql injection attack is or for that matter how to test for a sql injection vulnerability of any kind.

FWIW I am confident your tool is reporting a false positive and the code is perfectly safe. I can find no report anywhere that integer casting is not proof against injection. You always end up with an integer, so you can never get anything but found or not found for a match to the review_id and you can't add anything to the sql statement.

Of course it's possible he's just a better hacker than I am a coder 😉

Contact me for work on updating existing stores - whether to Phoenix or the new osC when it's released.

Looking for a payment or shipping module? Maybe I've already done it.

Working on generalising bespoke solutions for Quickbooks integration, Easify integration and pay4later (DEKO) integration at 2.3.x

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...