SECURITY: SQL Injection in "Additional Images"

[defa]

Hello!

 

Doing forensics in an hacked shop system we found the following vulnerability in the "Additional Images" Module of OScommerce from "Author: zaenal <zaenal AT paramartha.org>. Find more detailed information here: http://www.oscommerce.com/community/contributions,1032

 

Description:

 

If a anonymous remote user changes the value of 'products_id' when he gets "product_info.php" he is able to insert SQL Code in an SQL Query, if the module in question is installed.

 

Impact:

 

An attacker might read out parts or the whole of the database.

 

Code:

 

the following code on line 16 in SHOPROOT/catalog/includes/modules/additional_images.php doesn't check the value of the "products_id" variable.

 

$images_product = tep_db_query("SELECT additional_images_id, products_id, images_description, medium_images, popup_images FROM " . TABLE_ADDITIONAL_IMAGES . " WHERE products_id = '" . $HTTP_GET_VARS['products_id'] . "'");

 

Solution:

 

Contact the author/vendor.

 

Workaround:

 

Change line 16 in SHOPROOT/catalog/includes/modules/additional_images.php to:

 

$images_product = tep_db_query("SELECT additional_images_id, products_id, images_description, medium_images, popup_images FROM " . TABLE_ADDITIONAL_IMAGES . " WHERE products_id = '" . (int)$HTTP_GET_VARS['products_id'] . "'");

 

thanks to the guy who found the log entry in question.

 

bye

defa

[Guest]

can you demonstrate how an attacker can read the whole dbase from this code:

$images_product = tep_db_query("SELECT additional_images_id, products_id, images_description, medium_images, popup_images FROM " . TABLE_ADDITIONAL_IMAGES . " WHERE products_id = '" . $HTTP_GET_VARS['products_id'] . "'");

 

because the selection is for the TABLE_ADDITIONAL_IMAGES unless you have sensitive information stored with the images I cannot see why the int cast will make a difference preventing or giving access to the dbase.

[kgt]

www.mydomain.com/somefile.php?id=1

%20UNION%20SELECT%20customers_phone,%20customers_id,

%20customers_firstname,%20customers_lastname,

%20customers_email_address%20from%20customers

 

(without line breaks)

 

Wouldn't get you much as it is, since the customers fields would be typecast to the products fields, but if you had the time, you could possibly glean stuff out. This url will pull information out of the customers table, even though the coded query is for products only.

 

Of course it would require MySQL 4.x or later.

Edited October 12, 2005 by kgt

[Guest]

right, and that goes back to sql injection issues, that may affect every script in the catalog if the input is not properly validated.

 

application_top.php pretty much at the beginning:

 

  if(isset($HTTP_GET_VARS['products_id']) ) {
if( !is_numeric($HTTP_GET_VARS['products_id']) ) 
  exit(); // or redirect somewhere
}

 

and of course validation using an array for the various data types & input variables will be more appropriate.

Edited October 12, 2005 by enigma1

[Nerf-Herder]

I'm a completely new at this, but would like to ask a stupid question:

 

I don't have "Additional Images" installed, but I get hit with injections 5 to 15 times daily, and those are just the ones I catch. All of them originating from IPs belonging to ISPs in Toronto CA. I'm blocking IPs when I catch it, but I have no idea what's going on.

 

My question is: Are these attacks successful event though Additional Images isn't installed? If not, why is this happening so frequently? What, if anything, can be done to spot it? OK, that's more than one question. Sorry.

 

I'm just a little freeked about it.

 

Chat.ru

Land.ru

something-or-theer.lv

 

My wife is Russian, and she says that nothing looks too odd about the sites, but it sure ain't right.

 

What do we do? :'(

 

Thanx for any help you can provide.