Jump to content
vanzantz

osCommerce 2.3.4.1 - 'reviews_id' SQL Vulnerabilities

Recommended Posts

Reviewing a site I am working and using sql map I am getting a postiive hit for $_GET['reviews_id'] in the product_reviews_info.php file.

Examining the flagged file it's using typecasting with (int) on the instances with the get request and the parameter.

This does not appear to be resolving the positive hit for the sql injection.

Are there any tips on how to address with this platform? mysql_real_escape(); ?

Researching for a fix I see this vulnerability being reported:

https://www.exploit-db.com/exploits/46330

https://www.nmmapper.com/st/exploitdetails/46330/40818/oscommerce-2341-reviews_id-sql-injection/

 

 

Share this post


Link to post
Share on other sites

Neither of those links work - please check and repost. 


Contributions: Better Together and Quantity Discounts for osCommerce 2.3.x and Phoenix. See my profile for more details.

Share this post


Link to post
Share on other sites
1 hour ago, swguy said:

Neither of those links work - please check and repost. 

You can copy and paste them into the address bar.

Dan

Share this post


Link to post
Share on other sites

Weird.  I could swear it didn't work yesterday when I tried that.  


Contributions: Better Together and Quantity Discounts for osCommerce 2.3.x and Phoenix. See my profile for more details.

Share this post


Link to post
Share on other sites
On 8/10/2019 at 10:54 AM, vanzantz said:

Reviewing a site I am working and using sql map I am getting a postiive hit for $_GET['reviews_id'] in the product_reviews_info.php file.

Examining the flagged file it's using typecasting with (int) on the instances with the get request and the parameter.

This does not appear to be resolving the positive hit for the sql injection.

Are there any tips on how to address with this platform? mysql_real_escape(); ?

Researching for a fix I see this vulnerability being reported:

https://www.exploit-db.com/exploits/46330

https://www.nmmapper.com/st/exploitdetails/46330/40818/oscommerce-2341-reviews_id-sql-injection/

 

 

Was there a fix for this issue?  

Share this post


Link to post
Share on other sites

I am guessing the security 2.3.4 and 2.3.4.1 BS  issues are resolved by Phoenix?

Share this post


Link to post
Share on other sites
On 8/10/2019 at 1:54 PM, vanzantz said:

Are there any tips on how to address with this platform? mysql_real_escape(); ?

mysql_real_escape is deprecated.  Casting to int is superior, but the recommended way would be to change to parameterized queries via something like PDO. 

Phoenix deprecated product reviews, so it wouldn't have this particular issue. 


Always backup before making changes.

Share this post


Link to post
Share on other sites

Hello everyone  I am trying to find a ROOT PASSWORD to try and get my OSCOMMERCE download to work through the MySql program I have on my computer and it asks for a root password and I just don't know what it could be...

Share this post


Link to post
Share on other sites

@inrifoundation

installation is the same regardless of whether you install it on your local server, or your host's server ...

Malcolm

PS: Hijacking a thread (changing the subject within the thread) is poor form. Please start a new thread with your question.

PPS: Since you are doing a clean install, please be sure to use the Community Edition 'Phoenix' version of osC (link in my signature), and not the 'official' release. The 'official' release is very much out of date.


Get the latest Responsive osCommerce CE (community edition) here .

Share this post


Link to post
Share on other sites

@vanzantz those two exploit reports are from the same bloke and they are not verified. I think they are wrong, he doesn't understand what a boolean-based sql injection attack is or for that matter how to test for a sql injection vulnerability of any kind.

FWIW I am confident your tool is reporting a false positive and the code is perfectly safe. I can find no report anywhere that integer casting is not proof against injection. You always end up with an integer, so you can never get anything but found or not found for a match to the review_id and you can't add anything to the sql statement.

Of course it's possible he's just a better hacker than I am a coder 😉


For a new install or if your store isn't mobile-friendly, get the community-supported responsive osCommerce (Phoenix).

here: on the official osc download page

Working on generalising bespoke solutions for Quickbooks integration, Easify integration and pay4later (DEKO) integration at 2.3.x

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×