Jump to content

Archived

This topic is now archived and is closed to further replies.

chickenmedia

Security

Recommended Posts

can somebody put php codes in the input field? I have tested to put php codes into the Firstname, lastname, etc... in the address book. I think the code should check any customer's input and remove any thing like codes, html tag, etc...

 

:roll:

Share this post


Link to post
Share on other sites
can somebody put php codes in the input field? I have tested to put php codes into the Firstname, lastname, etc... in the address book. I think the code should check any customer's input and remove any thing like codes, html tag, etc...

 

:roll:

 

This is kinda what I was talking about.

 

Is it possible to use the osCommerce interface to send PHP or SQL statements to the DB that would compromise the security of the DB?

 

TIA Shawn


Shawn W. Roy

 

-----BEGIN GEEK CODE BLOCK-----

Version: 3.1

GAT d->dpu s: a C++++$ W+++$ N++ w+++++$ M--

PGP t+++ 5 X+ R tv+++ b++++ DI++ D+++ G++ e+++++

h++ r+++ y++

------END GEEK CODE BLOCK------

Share this post


Link to post
Share on other sites

Theoretically you can get access to the DB by adding stuff in most of the input fields in osC. Practically anybody can crash the SQL input so the [TEP ERROR] message displays the query. With that info you could then try different queries and retrieve interesting data from which you might be able to actually gain access to the db itself. Haven't succesfully done this but I am quite positive it can be done.

 

Another issue is the (java) Cross-Site-Scripting attacks which you can read more about in the "old" forums... A fix is being worked on but I don't know if it has been incorperated into the CVS yet.

 

As for now I would advise to alter the [TEP ERROR] thing so it only displays the query in debug mode, not in a live environment.

 

On the other hand any hacker or wannabee scriptkiddie can grab the latest osC copy and see the default setup.


"Politics is the art of preventing people from taking part in affairs which properly concern them"

Share this post


Link to post
Share on other sites

×