[Full-disclosure] OScommerce: "Additional Images" Module SQL Injection

From: Defa (defa_at_systemli.org)
Date: 10/06/05

  • Next message: Javi Polo: "Re: [Full-disclosure] Websites vulnerabilities disclosure"
    Date: Thu, 6 Oct 2005 10:26:50 +0200
    To: zaenal@paramartha.org
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Hello!

    Doing forensics in an hacked shop system we found the following
    vulnerability in the "Additional Images" Module of OScommerce from
    "Author: zaenal <zaenal AT paramartha.org>. Find more detailed
    information here: http://www.oscommerce.com/community/contributions,1032

    Description:

    If a anonymous remote user changes the value of 'products_id' when he
    gets "product_info.php" he is able to insert SQL Code in an SQL
    Query, if the module in question is installed.

    Impact:

    An attacker might read out parts or the whole of the database.

    Code:

    the following code on line 16 in SHOPROOT/catalog/includes/modules/
    additional_images.php doesn't check the value of the "products_id"
    variable.

    $images_product = tep_db_query("SELECT additional_images_id,
    products_id, images_description, medium_images, popup_images FROM " .
    TABLE_ADDITIONAL_IMAGES . " WHERE products_id = '" . $HTTP_GET_VARS
    ['products_id'] . "'");

    Solution:

    Contact the author/vendor.

    Workaround:

    Change line 16 in SHOPROOT/catalog/includes/modules/
    additional_images.php to:

    $images_product = tep_db_query("SELECT additional_images_id,
    products_id, images_description, medium_images, popup_images FROM " .
    TABLE_ADDITIONAL_IMAGES . " WHERE products_id = '" . (int)
    $HTTP_GET_VARS['products_id'] . "'");

    thanks to the guy who found the log entry in question.

    bye
    defa
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.1 (Darwin)

    iD8DBQFDRN/RLVkyr1ln0PsRAvq1AKCMsv4mUwkpBw4mWkeRsyuZ620U2wCfad4J
    UD8gpoM85ndrWcEeGz0tcZ8=
    =ifBl
    -----END PGP SIGNATURE-----
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/


  • Next message: Javi Polo: "Re: [Full-disclosure] Websites vulnerabilities disclosure"