iScripts MultiCart 2.2 Multiple SQL Injection Vulnerability
Name iScripts MultiCart
Vendor http://www.iscripts.com
Versions Affected 2.2
Author Salvatore Fresta aka Drosophila
Website http://www.salvatorefresta.net
Contact salvatorefresta [at] gmail [dot] com
Date 2010-03-07
X. INDEX
I. ABOUT THE APPLICATION
II. DESCRIPTION
III. ANALYSIS
IV. SAMPLE CODE
V. FIX
I. ABOUT THE APPLICATION
iScripts MultiCart 2.2 is a unique online shopping cart
solution that enables you to have one storefront and
multiple vendors for physical or digital (downloadable)
products.
II. DESCRIPTION
The solution adopted to avoid SQL Injection flaws is not
appropriate. This allows the existence of many SQL
Injection flaws.
III. ANALYSIS
Summary:
A) Multiple SQL Injection
A) Multiple SQL Injection
The solution adopted consists in transforming the query
string in uppercase and checking the existence of the
words UNION and SELECT. But using the C-like comments in
the query string, it is possible to bypass the filter.
Example:
SELECT becomes SE/**/LE/**/CT
UNION becomes UN/**/ION
The new strings do not match with the words in the black
list but they are good for MySQL.
The following is the affected code (session.php):
$mystring = strtoupper($_SERVER['QUERY_STRING']);
$server_injec1=strpos($mystring, 'SELECT');
$server_injec2=strpos($mystring, 'UNION');
if (($server_injec1 === false) && ($server_injec2 === false) || ($server_injec1 === '0') && ($server_injec2 === '0'))
{
;
}//end if
else
{
header('location:index.php');
exit();
}
IV. SAMPLE CODE
A) Multiple SQL Injection
http://site/path/refund_request.php?orderid=SQL
V. FIX
No Fix.