CS Cart SQL Injection security threat


I just found on the internet that CS Cart 2.2.1 is vulnerable to SQL Injection. Is this threat already fixed?

The test is done by Symantec.

[color=#003366][font=Verdana, Arial, Helvetica, sans-serif][size=3]CS-Cart ‘products.php’ SQL Injection Vulnerability[/size][/font][/color]

Attackers can use a browser to exploit this issue.

The following example URI is available:

http://www.example.com/controllers/customer/products.php?tabs_group_id=[SQL INJECT]

I give you the link:




So, no answer as of yet from the folks at CS Cart, eh???

I think this is an official response

[quote]This exploit is not suitable for any of CS-Cart versions 2.x.

  1. CS-Cart uses placeholders.
  2. All files in the “controllers” folder cannot be executed due to restrictions in the .htaccess file.
  3. There is program protection from direct file execution.

    So this vulnerability has nothing related to CS-Cart.

    Ilya Makarov

    CS-Cart development team.[/quote]

I am getting similar threat alerts from the scan company. We cannot get approved for merchant account without resolving this issue.



Synopsis :Blind SQL injection vulnerability in product_data[130][product_id] parameter to /knife-types/index.php

Description :

A remote attacker could execute SQL commands on the back-end

database, possibly leading to password retrieval, authentication

bypass, unauthorized data access, or unauthorized data

modification.All user-supplied parameters should be checked for illegal

characters, such as a single quote (“”), before being used

in an SQL query. See the references below for fix information

for specific products.[/size][/font][/color][color=black][font=Verdana][size=3]


All user-supplied parameters should be checked for illegalcharacters, such as a single quote (“”), before being usedin an SQL query. See the references below for fix informationfor specific products.[/size][/font][/color]







Yours is a different issue than the one discussed above.

I've not verified, but suggest that you submit this one to the bugtracker and get an official response as it relates to the product_data _POST parameter for the product_id element. But normally, this isn't even used. Most references to the product_id for queries to the database are from the 'product_id' GET parameter. But there are some internal functions that may use the product_id parameter instead such as the multiple update from the admin panel. But I'd have a hard time seeing it used on the customer side anywhere that an injection would be used. Mostly because a product_id is an integer and if set to a string would equate to zero…

So, in conclusion is this bug fixed in ver 2.2.4 ? or still vulnerable?

Thank you

I have no idea if it's valid or if it's fixed if it is valid. That's why I suggested you submit it to the bugtracker to get an offical response. Would be helpful if you posted the response here when you get one.


Copy that…

I got formal reply from the CS-CART [color=#555555]

As it was told in the forum thread, all PHP files located in subdirectories of the controllers directory of your CS-Cart installation cannot be executed by a direct link due to restrictions in the .htaccess file. Also all PHP files in the controllers/customer directory have a special condition which does not allow to open them with using direct links[/color] [color=#555555]


t means that the program is protected from direct file execution.

So this it is impossible to use this vulnerability in CS-Cart.[/color] [/color]

So It's means it is save.