Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

PCI SQL Injection Problem with advanced_search_result.php page


ken0306

Recommended Posts

Hi there,

My website recently got the PCI SQL Injection Severity problem with the advanced_search_result.php page, here is the error

WAS Payload

keywords=%25%25&search_in_description=1&submit=Search&categories_id=98&inc_subcat=1&manufacturers_id=&pfrom=1e309&pto=&dfrom=&dto=

 

What happens is when I adding the following code after advanced_search_result.php?keywords=%25%25&search_in_description=1&submit=Search&categories_id=98&inc_subcat=1&manufacturers_id=&pfrom=&pto=1e309&dfrom=&dto=

The MySQL error print out on the screen.

1054 - Unknown column 'INF' in 'where clause'

select count(distinct p.products_id) as total from products p left join manufacturers m using(manufacturers_id) left join specials s on p.products_id = s.products_id, products_description pd, categories c, products_to_categories p2c where p.products_status = '1' and p.products_id = pd.products_id and pd.language_id = '1' and p.products_id = p2c.products_id and p2c.categories_id = c.categories_id and p2c.products_id = p.products_id and p2c.products_id = pd.products_id and (p2c.categories_id = '98' or p2c.categories_id = '99' or p2c.categories_id = '104' or p2c.categories_id = '106' or p2c.categories_id = '111' or p2c.categories_id = '114' or p2c.categories_id = '117' or p2c.categories_id = '123' or p2c.categories_id = '125' or p2c.categories_id = '289') and ((pd.products_name like '%%%%' or p.products_model like '%%%%' or p.products_UPC like '%%%%' or p.products_MPN like '%%%%' or m.manufacturers_name like '%%%%' or pd.products_description like '%%%%') ) and (IF(s.status, s.specials_new_products_price, p.products_price) <= INF)

 

I trying the since script on demo site from oscommerce.com, the search result also shows the same error.

Any idea how to fix this problem with the script?

thank you in advance.

ken

 

Link to comment
Share on other sites

The INF you see in the error is a defined constant in php and stands for infinity. The 1e309 for the pto parameter is causing the To price in the search to be set to INF and that is causing the sql failure because that is not a valid number for the search. To plug this hole, find this line in the advanced_search_result.php file

      if (!settype($pto, 'double')) { 

and change it to

      if (!settype($pto, 'double') || $pto == INF) {

The same should be done for $pfrom.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

 

23 hours ago, Jack_mcs said:

The INF you see in the error is a defined constant in php and stands for infinity. The 1e309 for the pto parameter is causing the To price in the search to be set to INF and that is causing the sql failure because that is not a valid number for the search. To plug this hole, find this line in the advanced_search_result.php file


      if (!settype($pto, 'double')) { 

and change it to


      if (!settype($pto, 'double') || $pto == INF) {

The same should be done for $pfrom.

it works, thank you. the error is gone. This error also in the osc 2.3.4 defult package.

Link to comment
Share on other sites

Yes, the original code above has been part of oscommerce from the beginning, or close to it. It was probably never noticed before because the input is not normal hacker code in that it won't inject anything into the database. But it will cause the error you saw and that provides hackers with details they may not have so the fix is needed..

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

@Jack_mcs your fix is not enough. http://php.net/manual/en/math.constants.php

Avoid printing problem forever like this:

catalog/includes/function/database.php

Change:

  function tep_db_error($query, $errno, $error) { 
    if (defined('STORE_DB_TRANSACTIONS') && (STORE_DB_TRANSACTIONS == 'true')) {
      error_log('ERROR: [' . $errno . '] ' . $error . "\n", 3, STORE_PAGE_PARSE_TIME_LOG);
    }

    die('<font color="#000000"><strong>' . $errno . ' - ' . $error . '<br /><br />' . $query . '<br /><br /><small><font color="#ff0000">[TEP STOP]</font></small><br /><br /></strong></font>');
  }

To:
 

  function tep_db_error($query, $errno, $error) { 
    trigger_error("SQL Error: " . $errno . ' - ' . $error . ' ' . $query);
    $message = file_get_contents(DIR_FS_CATALOG . 'includes/modules/error_page.php');
    die($message);
  }


and create file with similar content:

catalog/includes/modules/error_page.php

<div>Sorry something went wrong! :( Error is reported to the site owner. Please try to use the following <a href="<?php echo tep_href_link('index.php'); ?>">backlink</a></div>


Finaly develop one new version of php core to see the reports and use it effectively...

Link to comment
Share on other sites

sorry this would be better for oscommerce:
 

  function tep_db_error($query, $errno, $error) { 
    trigger_error("SQL Error: " . $errno . ' - ' . $error . ' ' . $query);
    ob_start();
    include(DIR_FS_CATALOG . 'includes/modules/error_page.php');
    $message = ob_get_clean();

    die($message);
  }

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...