Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

MySQL Vulnerability Rate Topic   - - - - -

 
  • gpro
  • Senior Member
  • Members
  • Join Date: 24-Nov 07
  • 166 posts

Posted 21 March 2008 - 08:09 PM #1

I just received a call and a alert from Hackersafe themselves about having a MySQL Injection Vulnerability with cs-cart.

They also gave me the link where they can actually insert or remove the database.

They gave me a solution, but have no idea on implementing it onto my site.

This is what they wrote:

The remote host appears to be running a Web application that is not sanitizing user input prior to using it for database queries.

During our analysis of your web application, we were able to intentionally generate database specific errors. By causing a system to generate errors such as these, it is often possible to determine the database version and inject database command syntax that would allow us to extract data.

The extent of the damage that can be caused by this vulnerability varies greatly depending on environment and configuration. While input validation via webapp may cause a database to "throw" an error, the database configuration will also play an important role in determining how much it can be altered. A remote attacker may be able to gain access to very sensitive information, or gain administrative access (total control of the entire database functionality). For example, certain configurations of MS SQL server will allow one to create user accounts with the ability to take control of the Windows server that hosts the database.

THE SINGLE BEST WAY TO FIX THIS VULNERABILITY IS TO IDENTIFY THE ACCEPTABLE INPUT FOR EACH FORM PARAMETER AND REJECT INPUT THAT DOES NOT MEET THAT CRITERIA.

The following is an acceptable solution however it is not optimal.

Implement content parsing on data input fields including URL parameters.

Remove the following characters from any user or dynamic database input: (examples in VBScript)
# ' (escape the single quote) input = replace( input, "'", "''" )
# " (double quote) input = replace( input, """", "" )
# ) (close parenthesis) input = replace( input, ")", "" )
# ( (open parenthesis) input = replace( input, "(", "" )
# ; (semi-colon) input = replace( input, ";", "" )
# - (dash) input = replace( input, "-", "" )
# | (pipe) input = replace( input, "|", "" )

On text input it is recommended to append quotes around the user supplied input.


Hackersafe also called me about users can gain access to the database, which kind of scared me. Anybody know what to actually do?

Thanks!

 
  • BarryH
  • Senior Member
  • Members
  • Join Date: 03-Sep 07
  • 1459 posts

Posted 21 March 2008 - 09:18 PM #2

Hi

NOT my field, however I would not implement any changes until you have atleast contacted your host.

SCombs is the forum expert but I don't see him here very often these days (a busy man). You have always got to remember there are a lot of mimics out there and this could always be a spoof who wants to inject via you!

As I said NOT my field.

BarryH

BarryH

 

CS-Cart v4.4.3 (Plus one being developed v4.5.2 SP2)
UK User


 
  • MikeFold
  • Senior Member
  • Members
  • Join Date: 24-Nov 06
  • 1034 posts

Posted 21 March 2008 - 09:46 PM #3

search
"hackersafe" for more input on this subject
[SIZE="1"]Seamlessly Upgraded to 1.3.5sp4 from 1.3.4sp3
Live: Playboy Collectors Gallery
(Adult)[/SIZE]

[SIZE="2"]LOOKING FOR A FEW COPIES OF THE NEW LITHUANIA PLAYBOY ISSUES...AND COLOMBIA ISSUES.....
FEEL FREE TO Private Message Me....THANKS[/SIZE]


[SIZE="1"]Slightly Modded Default Red | Zardos Lightbox | Sitemap | Multicards Payment Mod |
Cart & Checkout Pages Modified |
[/SIZE]

 
  • gpro
  • Senior Member
  • Members
  • Join Date: 24-Nov 07
  • 166 posts

Posted 21 March 2008 - 10:00 PM #4

I actually have posted about this in a different thread, but the subject was MySQL disclosure, now it's MySQL SQL Injection Vulnerability, and they called me saying this vulnerability is critical and users can actually add/modify the database.

They gave me a url string where it discloses some of the DB Info and hackers can use it to there knowledge.

 
  • TonyK
  • Member
  • Members
  • Join Date: 03-Mar 06
  • 1686 posts

Posted 22 March 2008 - 01:18 AM #5

Did you notify the CS Cart helpdesk? If not you should as this may affect everyone using CS.
Pimpin' skins since v1.0

 
  • TonyK
  • Member
  • Members
  • Join Date: 03-Mar 06
  • 1686 posts

Posted 22 March 2008 - 01:24 AM #6

My guess is this is what they found.

http://secunia.com/advisories/29468/

I have notified CS of this alert.
Pimpin' skins since v1.0

 
  • snorocket
  • Forum Janitor
  • Members
  • Join Date: 15-Mar 06
  • 2519 posts

Posted 22 March 2008 - 01:54 AM #7

The vulnerability is confirmed in version 1.3.5-SP2 trial edition and reported in version 1.3.2. Other versions may also be affected.
SNOROCKET.COM, Now Accepting PRE-ORDERS:
Customer Service (Helpdesk) Addon for CS-Cart v4.3.1
Quote and Invoicing Addon for CS-Cart v4.3.1

 
  • Codies
  • Junior Member
  • Members
  • Join Date: 10-Jun 07
  • 25 posts

Posted 22 March 2008 - 01:57 AM #8

Can you notify cs-cart with that information, please ? I hope cs-cart can fix this soon.

I actually have posted about this in a different thread, but the subject was MySQL disclosure, now it's MySQL SQL Injection Vulnerability, and they called me saying this vulnerability is critical and users can actually add/modify the database.

They gave me a url string where it discloses some of the DB Info and hackers can use it to there knowledge.



 
  • zeke
  • Megamind
  • Administrators
  • Join Date: 01-Nov 05
  • 472 posts

Posted 24 March 2008 - 02:35 PM #9

Hello,

The XSS attack CAN NOT be performed using this vulnerability as all html tags are stripped from incoming data. This just can break the page outlook slightly.

Will be fixed in SP3.

 
  • Codies
  • Junior Member
  • Members
  • Join Date: 10-Jun 07
  • 25 posts

Posted 24 March 2008 - 10:03 PM #10

Hi Zeke,

For those of us that cant afford updating to SP3.
Can you release a hot fix just for this ? or i dont mind some instruction to fix this.
As any sign of hacked site will degrade consumers confidence greatly.

Thank you.

Hello,

The XSS attack CAN NOT be performed using this vulnerability as all html tags are stripped from incoming data. This just can break the page outlook slightly.

Will be fixed in SP3.



 
  • zeke
  • Megamind
  • Administrators
  • Join Date: 01-Nov 05
  • 472 posts

Posted 25 March 2008 - 06:58 AM #11

Sure,

"customer/side_boxes/search.tpl" - replace:

{$search_data.search_string|fn_stripslashes}

with

{$search_data.search_string|fn_stripslashes|escape:html}


 
  • wwgreen
  • Senior Member
  • Members
  • Join Date: 20-Nov 06
  • 411 posts

Posted 25 March 2008 - 12:05 PM #12

Zeke or anyone - This "hotfix" you have posted above... what versions of CS should this code change be applied to? Some clarification would be nice for the newbs and paranoid among us... namely me. :D Thanks!

v4.9.2sp1


 
  • The Tool
  • Been Here Way Too Long Member
  • Members
  • Join Date: 30-Mar 07
  • 3732 posts

Posted 25 March 2008 - 12:57 PM #13

I would assume that it's for 135sp2 since zeke stated that it would be fixed in sp3.

 
  • wwgreen
  • Senior Member
  • Members
  • Join Date: 20-Nov 06
  • 411 posts

Posted 25 March 2008 - 01:05 PM #14

Texas - Understood. Just wasn't sure if this was a new vuln. over all versions or just 1.3.5. Thanks.

v4.9.2sp1


 
  • MikeFold
  • Senior Member
  • Members
  • Join Date: 24-Nov 06
  • 1034 posts

Posted 25 March 2008 - 02:19 PM #15

the string appears in 1.3.4 sp3
so i just replaced it anyways
[SIZE="1"]Seamlessly Upgraded to 1.3.5sp4 from 1.3.4sp3
Live: Playboy Collectors Gallery
(Adult)[/SIZE]

[SIZE="2"]LOOKING FOR A FEW COPIES OF THE NEW LITHUANIA PLAYBOY ISSUES...AND COLOMBIA ISSUES.....
FEEL FREE TO Private Message Me....THANKS[/SIZE]


[SIZE="1"]Slightly Modded Default Red | Zardos Lightbox | Sitemap | Multicards Payment Mod |
Cart & Checkout Pages Modified |
[/SIZE]

 
  • glyndon
  • Senior Member
  • Members
  • Join Date: 07-Dec 06
  • 187 posts

Posted 25 March 2008 - 10:54 PM #16

I'm using 1.3.4sp1 and after running a search the code
{$search_data.search_string|fn_stripslashes}
appears in quite a few places.

Should they all be updated?

 
  • gpro
  • Senior Member
  • Members
  • Join Date: 24-Nov 07
  • 166 posts

Posted 26 March 2008 - 12:23 AM #17

I'm using 1.3.4sp1 and after running a search the code

{$search_data.search_string|fn_stripslashes}
appears in quite a few places.

Should they all be updated?


yes, they shouldn't break your site.

 
  • wwgreen
  • Senior Member
  • Members
  • Join Date: 20-Nov 06
  • 411 posts

Posted 27 March 2008 - 08:02 PM #18

Like so many past issues, lack of clarification may leave some users out of the loop.

-- what versions does this affect?
-- what changes need to be done?
-- what files do these changes need to be made to?

Thank you for any input.

v4.9.2sp1


 
  • zeke
  • Megamind
  • Administrators
  • Join Date: 01-Nov 05
  • 472 posts

Posted 31 March 2008 - 10:04 AM #19

Hello,

-- what versions does this affect?


All versions - from 1.3.2 to 1.3.5-sp2.

-- what changes need to be done?


Replace the code as on example above.

-- what files do these changes need to be made to?


skins/YOUR_SKIN/side_boxes/search.tpl

 
  • wwgreen
  • Senior Member
  • Members
  • Join Date: 20-Nov 06
  • 411 posts

Posted 31 March 2008 - 03:49 PM #20

zeke - Thank you!

v4.9.2sp1