Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

osCommerce 2.3.4.1 - 'reviews_id' SQL Vulnerabilities


vanzantz

Recommended Posts

Reviewing a site I am working and using sql map I am getting a postiive hit for $_GET['reviews_id'] in the product_reviews_info.php file.

Examining the flagged file it's using typecasting with (int) on the instances with the get request and the parameter.

This does not appear to be resolving the positive hit for the sql injection.

Are there any tips on how to address with this platform? mysql_real_escape(); ?

Researching for a fix I see this vulnerability being reported:

https://www.exploit-db.com/exploits/46330

https://www.nmmapper.com/st/exploitdetails/46330/40818/oscommerce-2341-reviews_id-sql-injection/

 

 

Link to comment
Share on other sites

1 hour ago, swguy said:

Neither of those links work - please check and repost. 

You can copy and paste them into the address bar.

Dan

Link to comment
Share on other sites

  • 1 month later...
On 8/10/2019 at 10:54 AM, vanzantz said:

Reviewing a site I am working and using sql map I am getting a postiive hit for $_GET['reviews_id'] in the product_reviews_info.php file.

Examining the flagged file it's using typecasting with (int) on the instances with the get request and the parameter.

This does not appear to be resolving the positive hit for the sql injection.

Are there any tips on how to address with this platform? mysql_real_escape(); ?

Researching for a fix I see this vulnerability being reported:

https://www.exploit-db.com/exploits/46330

https://www.nmmapper.com/st/exploitdetails/46330/40818/oscommerce-2341-reviews_id-sql-injection/

 

 

Was there a fix for this issue?  

Link to comment
Share on other sites

On 8/10/2019 at 1:54 PM, vanzantz said:

Are there any tips on how to address with this platform? mysql_real_escape(); ?

mysql_real_escape is deprecated.  Casting to int is superior, but the recommended way would be to change to parameterized queries via something like PDO. 

Phoenix deprecated product reviews, so it wouldn't have this particular issue. 

Always back up before making changes.

Link to comment
Share on other sites

  • 2 weeks later...

@inrifoundation

installation is the same regardless of whether you install it on your local server, or your host's server ...

Malcolm

PS: Hijacking a thread (changing the subject within the thread) is poor form. Please start a new thread with your question.

PPS: Since you are doing a clean install, please be sure to use the Community Edition 'Phoenix' version of osC (link in my signature), and not the 'official' release. The 'official' release is very much out of date.

Link to comment
Share on other sites

@vanzantz those two exploit reports are from the same bloke and they are not verified. I think they are wrong, he doesn't understand what a boolean-based sql injection attack is or for that matter how to test for a sql injection vulnerability of any kind.

FWIW I am confident your tool is reporting a false positive and the code is perfectly safe. I can find no report anywhere that integer casting is not proof against injection. You always end up with an integer, so you can never get anything but found or not found for a match to the review_id and you can't add anything to the sql statement.

Of course it's possible he's just a better hacker than I am a coder 😉

Contact me for work on updating existing stores - whether to Phoenix or the new osC when it's released.

Looking for a payment or shipping module? Maybe I've already done it.

Working on generalising bespoke solutions for Quickbooks integration, Easify integration and pay4later (DEKO) integration at 2.3.x

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...