BugTraq
iScripts MultiCart 2.2 Multiple SQL Injection Vulnerability Jul 03 2010 11:03PM
Salvatore Fresta aka Drosophila (drosophilaxxx gmail com)

iScripts MultiCart 2.2 Multiple SQL Injection Vulnerability

Name iScripts MultiCart
Vendor http://www.iscripts.com
Versions Affected 2.2

Author Salvatore Fresta aka Drosophila
Website http://www.salvatorefresta.net
Contact salvatorefresta [at] gmail [dot] com
Date 2010-03-07

X. INDEX

I. ABOUT THE APPLICATION
II. DESCRIPTION
III. ANALYSIS
IV. SAMPLE CODE
V. FIX

I. ABOUT THE APPLICATION

iScripts MultiCart 2.2 is a unique online shopping cart
solution that enables you to have one storefront and
multiple vendors for physical or digital (downloadable)
products.

II. DESCRIPTION

The solution adopted to avoid SQL Injection flaws is not
appropriate. This allows the existence of many SQL
Injection flaws.

III. ANALYSIS

Summary:

A) Multiple SQL Injection

A) Multiple SQL Injection

The solution adopted consists in transforming the query
string in uppercase and checking the existence of the
words UNION and SELECT. But using the C-like comments in
the query string, it is possible to bypass the filter.
Example:

SELECT becomes SE/**/LE/**/CT
UNION becomes UN/**/ION

The new strings do not match with the words in the black
list but they are good for MySQL.
The following is the affected code (session.php):

$mystring = strtoupper($_SERVER['QUERY_STRING']);
$server_injec1=strpos($mystring, 'SELECT');
$server_injec2=strpos($mystring, 'UNION');

if (($server_injec1 === false) && ($server_injec2 === false) || ($server_injec1 === '0') && ($server_injec2 === '0'))
{
;
}//end if
else
{
header('location:index.php');
exit();
}

IV. SAMPLE CODE

A) Multiple SQL Injection

http://site/path/refund_request.php?orderid=SQL

V. FIX

No Fix.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus