82 lines
No EOL
1.7 KiB
Text
82 lines
No EOL
1.7 KiB
Text
iScripts MultiCart 2.2 Multiple SQL Injection Vulnerability
|
|
|
|
Name iScripts MultiCart
|
|
Vendor http://www.iscripts.com
|
|
Versions Affected 2.2
|
|
|
|
Author Salvatore Fresta aka Drosophila
|
|
Website http://www.salvatorefresta.net
|
|
Contact salvatorefresta [at] gmail [dot] com
|
|
Date 2010-03-07
|
|
|
|
X. INDEX
|
|
|
|
I. ABOUT THE APPLICATION
|
|
II. DESCRIPTION
|
|
III. ANALYSIS
|
|
IV. SAMPLE CODE
|
|
V. FIX
|
|
|
|
|
|
I. ABOUT THE APPLICATION
|
|
|
|
iScripts MultiCart 2.2 is a unique online shopping cart
|
|
solution that enables you to have one storefront and
|
|
multiple vendors for physical or digital (downloadable)
|
|
products.
|
|
|
|
|
|
II. DESCRIPTION
|
|
|
|
The solution adopted to avoid SQL Injection flaws is not
|
|
appropriate. This allows the existence of many SQL
|
|
Injection flaws.
|
|
|
|
|
|
III. ANALYSIS
|
|
|
|
Summary:
|
|
|
|
A) Multiple SQL Injection
|
|
|
|
|
|
A) Multiple SQL Injection
|
|
|
|
The solution adopted consists in transforming the query
|
|
string in uppercase and checking the existence of the
|
|
words UNION and SELECT. But using the C-like comments in
|
|
the query string, it is possible to bypass the filter.
|
|
Example:
|
|
|
|
SELECT becomes SE/**/LE/**/CT
|
|
UNION becomes UN/**/ION
|
|
|
|
The new strings do not match with the words in the black
|
|
list but they are good for MySQL.
|
|
The following is the affected code (session.php):
|
|
|
|
$mystring = strtoupper($_SERVER['QUERY_STRING']);
|
|
$server_injec1=strpos($mystring, 'SELECT');
|
|
$server_injec2=strpos($mystring, 'UNION');
|
|
|
|
if (($server_injec1 === false) && ($server_injec2 === false) || ($server_injec1 === '0') && ($server_injec2 === '0'))
|
|
{
|
|
;
|
|
}//end if
|
|
else
|
|
{
|
|
header('location:index.php');
|
|
exit();
|
|
}
|
|
|
|
|
|
IV. SAMPLE CODE
|
|
|
|
A) Multiple SQL Injection
|
|
|
|
http://site/path/refund_request.php?orderid=SQL
|
|
|
|
|
|
V. FIX
|
|
|
|
No Fix. |