Sql Injection Vulnerability In Alexbranding `product Of The Day`


About one and a half week ago, an SQL injection vulnerability located in the `Product of the Day` add-on caught my attention. Since then, the according changes have been made to the `Product of the Day` add-on from AlexBranding. Therefore, it is of the utmost importance that you update the `Product of the Day` addon.

My research has shown that this vulnerability has been present since at least version 1.4, therefore all those affected are urged to either disable/update the addon or contact AlexBranding at the earliest convenience.

Exploit details and research will be published later next month to give all those affected a fair chance at patching their vulnerable software.

Kind regards,

Hi, we will publish a solution for users with old and non updated versions of add-on.

Thank you for your your unrivaled motivation in this question.

In the deal of the day addon from AlexBranding, the 'get_products' hook is used, and add any SQL present in the 'ab__dotd_joins' and 'ab__dotd_where' parameters is appended without using a placeholder. Seeing as CS-Cart passes the '$_REQUEST' variable in the frontend to the `fn_get_products` function in categories, this results in plain simple SQL injection.

The target is required to be a category (or any other page that passes the $_REQUEST variable as 'parameter' to the fn_get_products function, the query can be of your liking. No data is displayed, so checking out the schema before utilizing this is a good idea.

Since enough time has passed, here a proof of concept you can use in python 3. This was fixed in version 3.3.1

def alexbranding_deal_of_the_day_sql_injection(target, query):
    requests.get(url=target, params={
        "ab__dotd_where": "1 ); %s --" % query