扫码分享
验证:
体验盒子iScripts MultiCart 2.2 Multiple SQL Injection Vulnerability
NameiScripts MultiCart
Vendorhttp://www.iscripts.com
Versions Affected 2.2
AuthorSalvatore Fresta aka Drosophila
Website http://www.salvatorefresta.net
Contact salvatorefresta [at] gmail [dot] com
Date2010-03-07
X. INDEX
I.ABOUT THE APPLICATION
II. DESCRIPTION
III.ANALYSIS
IV. SAMPLE CODE
V.FIX
I. ABOUT THE APPLICATION
iScriptsMultiCart2.2 is a unique online shopping cart
solutionthatenablesyoutohave one storefront and
multiplevendorsfor physical or digital (downloadable)
products.
II. DESCRIPTION
Thesolution adopted to avoid SQL Injection flaws is not
appropriate. Thisallowstheexistenceofmany SQL
Injection flaws.
III. ANALYSIS
Summary:
A) Multiple SQL Injection
A) Multiple SQL Injection
Thesolution adoptedconsists in transforming the query
string in uppercase andcheckingtheexistenceof the
words UNION and SELECT.But using the C-like comments in
the query string, it is possible to bypass the filter.
Example:
SELECT becomes SE/**/LE/**/CT
UNIONbecomes UN/**/ION
The new strings do not match withthe words in the black
list but they are good for MySQL.
The following is the affected code (session.php):
$mystring = strtoupper($_SERVER['QUERY_STRING']);
$server_injec1=strpos($mystring, 'SELECT');
$server_injec2=strpos($mystring, 'UNION');
if (($server_injec1 === false) && ($server_injec2 === false) || ($server_injec1 === '0') && ($server_injec2 === '0'))
{
;
}//end if
else
{
header('location:index.php');
exit();
}
IV. SAMPLE CODE
A) Multiple SQL Injection
http://site/path/refund_request.php?orderid=SQL
V. FIX
No Fix.
体验盒子
