Sql Injection: 100's Of Db Errors Re: Long Query On Products Table. Does Anyone Know?

Multi-Vendor Questions
1

I am getting many of these errors:

Database (error)
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-1' at line 1 (1064)
Query: SELECT SQL_CALC_FOUND_ROWS products.*, IF(shared_descr.product_id IS NOT NULL, shared_descr.product, descr1.product) as product, IF(shared_prices.product_id IS NOT NULL,MIN(IF(shared_prices.percentage_discount = 0, shared_prices.price, shared_prices.price - (shared_prices.price * shared_prices.percentage_discount)/100)),MIN(IF(prices.percentage_discount = 0, prices.price, prices.price - (prices.price * prices.percentage_discount)/100))) as price, IF(shared_descr.product_id IS NOT NULL, shared_descr.short_description, descr1.short_description) as short_description, IF(shared_descr.product_id IS NOT NULL, IF(shared_descr.short_description = '', shared_descr.full_description, ''), IF(descr1.short_description = '', descr1.full_description, '')) as full_description, GROUP_CONCAT(IF(products_categories.link_type = 'M', CONCAT(products_categories.category_id, 'M'), products_categories.category_id)) as category_ids, products_categories.position, IF(shared_descr.product_id IS NOT NULL, shared_descr.meta_keywords, descr1.meta_keywords) as meta_keywords, IF(shared_descr.product_id IS NOT NULL, shared_descr.meta_description, descr1.meta_description) as meta_description, IF(shared_descr.product_id IS NOT NULL, shared_descr.search_words, descr1.search_words) as search_words, IF(shared_descr.product_id IS NOT NULL, shared_descr.promo_text, descr1.promo_text) as promo_text, cscart_seo_names.name as seo_name, cscart_seo_names.path as seo_path, AVG(cscart_discussion_rating.rating_value) AS average_rating, cscart_discussion.type AS discussion_type, cscart_discussion.thread_id AS discussion_thread_id FROM cscart_products as products LEFT JOIN cscart_product_features_values ON cscart_product_features_values.product_id = products.product_id AND cscart_product_features_values.lang_code = 'en' LEFT JOIN cscart_product_descriptions as descr1 ON descr1.product_id = products.product_id AND descr1.lang_code = 'en' LEFT JOIN cscart_product_prices as prices ON prices.product_id = products.product_id AND prices.lower_limit = 1 INNER JOIN cscart_products_categories as products_categories ON products_categories.product_id = products.product_id INNER JOIN cscart_categories ON cscart_categories.category_id = products_categories.category_id AND (cscart_categories.usergroup_ids = '' OR FIND_IN_SET(0, cscart_categories.usergroup_ids) OR FIND_IN_SET(1, cscart_categories.usergroup_ids)) AND cscart_categories.status IN ('A', 'H') INNER JOIN cscart_products_categories as products_categories_filter ON products_categories_filter.product_id = products.product_id INNER JOIN cscart_categories AS categories_filter ON categories_filter.category_id = products_categories_filter.category_id AND (categories_filter.usergroup_ids = '' OR FIND_IN_SET(0, categories_filter.usergroup_ids) OR FIND_IN_SET(1, categories_filter.usergroup_ids)) AND categories_filter.status IN ('A', 'H') LEFT JOIN cscart_ult_product_descriptions shared_descr ON shared_descr.product_id = products.product_id AND shared_descr.company_id = 2 AND shared_descr.lang_code = 'en' LEFT JOIN cscart_ult_product_prices as shared_prices ON shared_prices.product_id = products.product_id AND shared_prices.lower_limit = 1 AND shared_prices.usergroup_id IN (0, 0, 1) AND shared_prices.company_id = 2 LEFT JOIN cscart_seo_names ON cscart_seo_names.object_id = products.product_id AND cscart_seo_names.type = 'p' AND cscart_seo_names.dispatch = '' AND cscart_seo_names.lang_code = 'en' AND ( cscart_seo_names.company_id = 2 OR cscart_seo_names.company_id = 0) LEFT JOIN cscart_discussion ON cscart_discussion.object_id = products.product_id AND cscart_discussion.object_type = 'P' AND cscart_discussion.company_id = 2 LEFT JOIN cscart_discussion_posts ON cscart_discussion_posts.thread_id = cscart_discussion.thread_id AND cscart_discussion_posts.status = 'A' LEFT JOIN cscart_discussion_rating ON cscart_discussion.thread_id = cscart_discussion_rating.thread_id AND cscart_discussion_rating.post_id = cscart_discussion_posts.post_id AND cscart_discussion_rating.rating_value != 0 WHERE 1 AND categories_filter.category_id IN (111) AND cscart_categories.company_id = 2 AND categories_filter.company_id = 2 AND (products.usergroup_ids = '' OR FIND_IN_SET(0, products.usergroup_ids) OR FIND_IN_SET(1, products.usergroup_ids)) AND products.status IN ('A') AND prices.usergroup_id IN (0, 0, 1) GROUP BY products.product_id ORDER BY product asc LIMIT 0, -1

Backtrace››

index.php (fn_dispatch): 25
app/functions/fn.control.php (fn_run_controller): 370
app/functions/fn.control.php (include): 587
app/controllers/frontend/categories.php (fn_get_products): 94
app/functions/fn.catalog.php (db_get_array): 7453
app/functions/fn.database.php (call_user_func_array): 29
app/Tygh/Database.php (getArray): 111
app/Tygh/Database.php (query): 333

Does anyone have an idea what is going on?

I am using CSC 4.2.4

2

Second value of the LIMIT query cannot be negative. Try to disable 3rd party modules one by one and check

3

Strange. we have not changed anything for months.

4

Its an SQL injection issue for CS-Cart.

/?currency=CHF&sort_by=1%2c(select%20case%20when%20(99%3d99)%20then%201%20else%201*(select%20table_name%20from%20information_schema.tables)end)%3d1&sort_order=desc

/?currency=CHF&features_hash=V928&items_per_page=(select(0)from(select(sleep(9)))v)/*'%2b(select(0)from(select(sleep(9)))v)%2b'%22%2b(select(0)from(select(sleep(9)))v)%2b%22*/&sort_by=product&sort_order=desc&subcats=Y

/?currency=CHF&layout=short_list&sort_by=product&sort_order=(select%20convert(int%2cCHAR(65)))

/?features_hash=V45.V2085&layout=products_without_options&sort_by=1u0AugpQ');select%20pg_sleep(16);%20--%20&sort_order=asc&subcats=Y

5

WOW! Do you have file changes detector enabled?

6

Hello,

Please compare the access log's timestamp with the error log's timestamp to find out which page was requested because for me this is not working. I have inspected the code and have concluded that this is impossible to do with the paginate function. Please take a look:

/**
 * Paginate query results
 *
 * @param int $page page number
 * @param int $items_per_page items per page
 * @return string SQL substring
 */
function db_paginate(&$page, &$items_per_page, $total_items = 0)
{
    $page = (int) $page;
    $items_per_page = (int) $items_per_page;

if ($page <= 0) {
    $page = 1;
}

if ($items_per_page <= 0) {
    $items_per_page = (int) Registry::ifGet('settings.Appearance.admin_elements_per_page', 10);
}

// Check if page in valid limits
if ($total_items > 0) {
    $page = db_get_valid_page($page, $items_per_page, $total_items);
}

return ' LIMIT ' . (($page - 1) * $items_per_page) . ', ' . $items_per_page;



}

Everything is converted to integers therefore it is impossible to inject even the slightest piece of mysql code in here. I also checked the other controllers which might use this parameter and found that they were all using the exact same functions. Therefore my guess is that you either have done core modifications or that a 3rd party add-on has created its own pagination function and left a huge vulnerability in their add-on.

7

Hope you'r not using alexbranding addons, their addons are heavily core modified..

Does anyone monitor at all what product quality is passed to customers at all?

Its an SQL injection issue for CS-Cart.

/?currency=CHF&sort_by=1%2c(select%20case%20when%20(99%3d99)%20then%201%20else%201*(select%20table_name%20from%20information_schema.tables)end)%3d1&sort_order=desc

/?currency=CHF&features_hash=V928&items_per_page=(select(0)from(select(sleep(9)))v)/*'%2b(select(0)from(select(sleep(9)))v)%2b'%22%2b(select(0)from(select(sleep(9)))v)%2b%22*/&sort_by=product&sort_order=desc&subcats=Y

/?currency=CHF&layout=short_list&sort_by=product&sort_order=(select%20convert(int%2cCHAR(65)))

/?features_hash=V45.V2085&layout=products_without_options&sort_by=1u0AugpQ');select%20pg_sleep(16);%20--%20&sort_order=asc&subcats=Y

8

Does anyone monitor at all what product quality is passed to customers at all?

Yes...You and anyone else that purchases the products.

You're not suggesting that CSC monitor 3rd party addons are you? They can't keep up with their own product much less everyone elses.

9

I believe that only legit and tested addons should be on marketplace..

If I remember correct, cs-cart pans to distribute addons accessible via admin backend, how then should one check its reputation?

Yes...You and anyone else that purchases the products.

You're not suggesting that CSC monitor 3rd party addons are you? They can't keep up with their own product much less everyone elses.

10

Anyway, contact CS-Cart support team. Possibly there is unknown vulnerability which should be fixed

11

I have sent @imac a message alerting him to this thread.

12

Regarding the error in first post take a look at this thread.

http://forum.cs-cart.com/topic/42737-help-data-base-error/

Its an SQL injection issue for CS-Cart.

/?currency=CHF&sort_by=1%2c(select%20case%20when%20(99%3d99)%20then%201%20else%201*(select%20table_name%20from%20information_schema.tables)end)%3d1&sort_order=desc

/?currency=CHF&features_hash=V928&items_per_page=(select(0)from(select(sleep(9)))v)/*'%2b(select(0)from(select(sleep(9)))v)%2b'%22%2b(select(0)from(select(sleep(9)))v)%2b%22*/&sort_by=product&sort_order=desc&subcats=Y

/?currency=CHF&layout=short_list&sort_by=product&sort_order=(select%20convert(int%2cCHAR(65)))

/?features_hash=V45.V2085&layout=products_without_options&sort_by=1u0AugpQ');select%20pg_sleep(16);%20--%20&sort_order=asc&subcats=Y

As for this, yes looks like someone is trying to find SQL injection. He won't succeed:)