Re: FishCart [injection sql]

[Michael Brennen <michael () fishnet us>]

On Sunday 21 January 2007 13:45, saps.audit () gmail com wrote:

> vendor site: http://fishcart.org/
> product :fish cart
> bug:injection sql
> risk : medium
>
> injection sql :
> /display.php?cartid=200701210157208&zid=1&lid=1&olimit=5&cat=&key1=&nlst=y&
> olst='[sql]
>
> ( change the cartid value with yours )
> laurent gaffie
> http://s-a-p.ca/
> contact: saps.audit () gmail com

The developers were never notified before this was posted.  Had the poster 
exercised this simple courtesy he would have found that this is not an SQL 
injection error.

A perusal of the open source shows that the olst parameter used in the above 
URL is never used in an SQL statement.

This was in fact a latent condition turned up by the 'nlst' and 'olst' 
parameters being active simultaneously, a condition not normally seen in 
FishCart.  Artificially setting both active resulting in an inconsistent SQL 
query and thus a reported SQL error.  There was never an SQL injection error 
here.

This is similar to the last erroneous FishCart SQL injection bug, bugtraq ID 
13499 of May 4, 2005 reported by 'dcrab', in which an artificially 
constructed URL not normally occuring in FishCart operation was posted.  That 
URL tripped a condition that resulted in an SQL error due to an inconsistent 
SQL statement, not an SQL injection error as reported.   There never was an 
SQL injection then.  dcrab did not notify the developers in advance either.

FishCart has long filtered parameters to avoid SQL injection errors and 
similar sorts of bugs.  The hardening fix for the dcrab report was 
immediately added to source when reported.  The hardening fix for this report 
is now committed to CVS, and the impending 3.2 release will of course have 
the fix as well.

-- 

   Michael Brennen
   President, FishNet(R), Inc.
   Professional Internet Services
   972.669.0041

Attachment: _bin
Description: