lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-Id: <200701221606.45603.michael@fishnet.us>
Date: Mon, 22 Jan 2007 16:06:45 -0600
From: Michael Brennen <michael@...hnet.us>
To: bugtraq@...urityfocus.com
Cc: saps.audit@...il.com
Subject: Re: FishCart [injection sql]

On Sunday 21 January 2007 13:45, saps.audit@...il.com wrote:

> vendor site: http://fishcart.org/
> product :fish cart
> bug:injection sql
> risk : medium
>
> injection sql :
> /display.php?cartid=200701210157208&zid=1&lid=1&olimit=5&cat=&key1=&nlst=y&
>olst='[sql]
>
> ( change the cartid value with yours )
> laurent gaffie
> http://s-a-p.ca/
> contact: saps.audit@...il.com

The developers were never notified before this was posted.  Had the poster 
exercised this simple courtesy he would have found that this is not an SQL 
injection error.

A perusal of the open source shows that the olst parameter used in the above 
URL is never used in an SQL statement.

This was in fact a latent condition turned up by the 'nlst' and 'olst' 
parameters being active simultaneously, a condition not normally seen in 
FishCart.  Artificially setting both active resulting in an inconsistent SQL 
query and thus a reported SQL error.  There was never an SQL injection error 
here.

This is similar to the last erroneous FishCart SQL injection bug, bugtraq ID 
13499 of May 4, 2005 reported by 'dcrab', in which an artificially 
constructed URL not normally occuring in FishCart operation was posted.  That 
URL tripped a condition that resulted in an SQL error due to an inconsistent 
SQL statement, not an SQL injection error as reported.   There never was an 
SQL injection then.  dcrab did not notify the developers in advance either.

FishCart has long filtered parameters to avoid SQL injection errors and 
similar sorts of bugs.  The hardening fix for the dcrab report was 
immediately added to source when reported.  The hardening fix for this report 
is now committed to CVS, and the impending 3.2 release will of course have 
the fix as well.

-- 

   Michael Brennen
   President, FishNet(R), Inc.
   Professional Internet Services
   972.669.0041

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ