Jump to content

Archived

This topic is now archived and is closed to further replies.

mightyx

SQL Injection Vulnerability in product_info.php?

Recommended Posts

Hi there, I've discovered a security problem in my modded osc store (based on a rc2a). When someone extends the product_id in the product_info URI with SQL commands, it seems that code is executed. At least it returns a 1064 error on my store. Anyone has an idea how to fix this?

 

Share this post


Link to post
Share on other sites

add a (int) before $_GET['products_id'] in the query :

  $product_check_query = tep_db_query("select count(*) as total from " . TABLE_PRODUCTS . " p, " . TABLE_PRODUCTS_DESCRIPTION . " pd where p.products_status = '1' and isnull(products_date_available) and p.products_id = '" . (int)$_GET['products_id'] . "' and pd.products_id = p.products_id and pd.language_id = '" . (int)$languages_id . "'");


Get the latest Responsive osCommerce CE (community edition) here .

(Live   : OsC 2.2, php 5.4 & UTF-8  |  Local : Phoenix for future shop)

Share this post


Link to post
Share on other sites

Wherever an application has either user input or GET data being used for display or database operations, it must first be sanitized to rid it of any malicious content (e.g., Javascript embedded into displayed HTML content, or SQL embedded into a product ID). osC has been improving in this regard, although it's likely some vulnerabilities have escaped notice so far. osC 2.2 RC2a is horribly obsolete and vulnerable to hacks -- you might want to take a look at osC 2.3.4 BS Edge (the current latest release, although you have to get it from GitHub).

 

If your 2.2 release has been "highly" modified, you're on your own -- you've forked your own version. Don't expect the community here to be able to help you out, since no one in their right mind runs something that old and still expects support from here. Do take the time to install and try out "Edge", and see what modifications you'll need to make. It may be far less painful than trying to keep your old system running. At the least, you can see if it still has this vulnerability present. If most of your changes have been cosmetic, it may be very easy to convert (and your existing data can be saved).

Share this post


Link to post
Share on other sites

×