Full Disclosure mailing list archives
OScommerce: "Additional Images" Module SQL Injection
From: Defa <defa () systemli org>
Date: Thu, 6 Oct 2005 10:26:50 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello!Doing forensics in an hacked shop system we found the following vulnerability in the "Additional Images" Module of OScommerce from "Author: zaenal <zaenal AT paramartha.org>. Find more detailed information here: http://www.oscommerce.com/community/contributions,1032
Description:If a anonymous remote user changes the value of 'products_id' when he gets "product_info.php" he is able to insert SQL Code in an SQL Query, if the module in question is installed.
Impact: An attacker might read out parts or the whole of the database. Code:the following code on line 16 in SHOPROOT/catalog/includes/modules/ additional_images.php doesn't check the value of the "products_id" variable.
$images_product = tep_db_query("SELECT additional_images_id, products_id, images_description, medium_images, popup_images FROM " . TABLE_ADDITIONAL_IMAGES . " WHERE products_id = '" . $HTTP_GET_VARS ['products_id'] . "'");
Solution: Contact the author/vendor. Workaround:Change line 16 in SHOPROOT/catalog/includes/modules/ additional_images.php to:
$images_product = tep_db_query("SELECT additional_images_id, products_id, images_description, medium_images, popup_images FROM " . TABLE_ADDITIONAL_IMAGES . " WHERE products_id = '" . (int) $HTTP_GET_VARS['products_id'] . "'");
thanks to the guy who found the log entry in question. bye defa -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFDRN/RLVkyr1ln0PsRAvq1AKCMsv4mUwkpBw4mWkeRsyuZ620U2wCfad4J UD8gpoM85ndrWcEeGz0tcZ8= =ifBl -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- OScommerce: "Additional Images" Module SQL Injection Defa (Oct 06)