ken0306 Posted September 4, 2018 Share Posted September 4, 2018 Hi there, My website recently got the PCI SQL Injection Severity problem with the advanced_search_result.php page, here is the error WAS Payload keywords=%25%25&search_in_description=1&submit=Search&categories_id=98&inc_subcat=1&manufacturers_id=&pfrom=1e309&pto=&dfrom=&dto= What happens is when I adding the following code after advanced_search_result.php?keywords=%25%25&search_in_description=1&submit=Search&categories_id=98&inc_subcat=1&manufacturers_id=&pfrom=&pto=1e309&dfrom=&dto= The MySQL error print out on the screen. 1054 - Unknown column 'INF' in 'where clause' select count(distinct p.products_id) as total from products p left join manufacturers m using(manufacturers_id) left join specials s on p.products_id = s.products_id, products_description pd, categories c, products_to_categories p2c where p.products_status = '1' and p.products_id = pd.products_id and pd.language_id = '1' and p.products_id = p2c.products_id and p2c.categories_id = c.categories_id and p2c.products_id = p.products_id and p2c.products_id = pd.products_id and (p2c.categories_id = '98' or p2c.categories_id = '99' or p2c.categories_id = '104' or p2c.categories_id = '106' or p2c.categories_id = '111' or p2c.categories_id = '114' or p2c.categories_id = '117' or p2c.categories_id = '123' or p2c.categories_id = '125' or p2c.categories_id = '289') and ((pd.products_name like '%%%%' or p.products_model like '%%%%' or p.products_UPC like '%%%%' or p.products_MPN like '%%%%' or m.manufacturers_name like '%%%%' or pd.products_description like '%%%%') ) and (IF(s.status, s.specials_new_products_price, p.products_price) <= INF) I trying the since script on demo site from oscommerce.com, the search result also shows the same error. Any idea how to fix this problem with the script? thank you in advance. ken Link to comment Share on other sites More sharing options...
Jack_mcs Posted September 4, 2018 Share Posted September 4, 2018 The INF you see in the error is a defined constant in php and stands for infinity. The 1e309 for the pto parameter is causing the To price in the search to be set to INF and that is causing the sql failure because that is not a valid number for the search. To plug this hole, find this line in the advanced_search_result.php file if (!settype($pto, 'double')) { and change it to if (!settype($pto, 'double') || $pto == INF) { The same should be done for $pfrom. Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
ken0306 Posted September 5, 2018 Author Share Posted September 5, 2018 23 hours ago, Jack_mcs said: The INF you see in the error is a defined constant in php and stands for infinity. The 1e309 for the pto parameter is causing the To price in the search to be set to INF and that is causing the sql failure because that is not a valid number for the search. To plug this hole, find this line in the advanced_search_result.php file if (!settype($pto, 'double')) { and change it to if (!settype($pto, 'double') || $pto == INF) { The same should be done for $pfrom. it works, thank you. the error is gone. This error also in the osc 2.3.4 defult package. Link to comment Share on other sites More sharing options...
Jack_mcs Posted September 6, 2018 Share Posted September 6, 2018 Yes, the original code above has been part of oscommerce from the beginning, or close to it. It was probably never noticed before because the input is not normal hacker code in that it won't inject anything into the database. But it will cause the error you saw and that provides hackers with details they may not have so the fix is needed.. Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
a123 Posted September 6, 2018 Share Posted September 6, 2018 @Jack_mcs your fix is not enough. http://php.net/manual/en/math.constants.php Avoid printing problem forever like this: catalog/includes/function/database.php Change: function tep_db_error($query, $errno, $error) { if (defined('STORE_DB_TRANSACTIONS') && (STORE_DB_TRANSACTIONS == 'true')) { error_log('ERROR: [' . $errno . '] ' . $error . "\n", 3, STORE_PAGE_PARSE_TIME_LOG); } die('<font color="#000000"><strong>' . $errno . ' - ' . $error . '<br /><br />' . $query . '<br /><br /><small><font color="#ff0000">[TEP STOP]</font></small><br /><br /></strong></font>'); } To: function tep_db_error($query, $errno, $error) { trigger_error("SQL Error: " . $errno . ' - ' . $error . ' ' . $query); $message = file_get_contents(DIR_FS_CATALOG . 'includes/modules/error_page.php'); die($message); } and create file with similar content: catalog/includes/modules/error_page.php <div>Sorry something went wrong! :( Error is reported to the site owner. Please try to use the following <a href="<?php echo tep_href_link('index.php'); ?>">backlink</a></div> Finaly develop one new version of php core to see the reports and use it effectively... Link to comment Share on other sites More sharing options...
a123 Posted September 6, 2018 Share Posted September 6, 2018 sorry this would be better for oscommerce: function tep_db_error($query, $errno, $error) { trigger_error("SQL Error: " . $errno . ' - ' . $error . ' ' . $query); ob_start(); include(DIR_FS_CATALOG . 'includes/modules/error_page.php'); $message = ob_get_clean(); die($message); } Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.