lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu Oct  6 09:27:37 2005
From: defa at systemli.org (Defa)
Subject: OScommerce: "Additional Images" Module SQL
	Injection

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello!

Doing forensics in an hacked shop system we found the following  
vulnerability in the "Additional Images" Module of OScommerce from  
"Author: zaenal <zaenal AT paramartha.org>. Find more detailed  
information here: http://www.oscommerce.com/community/contributions,1032

Description:

If a anonymous remote user changes the value of 'products_id' when he  
gets "product_info.php" he is able to insert SQL Code in an SQL  
Query, if the module in question is installed.

Impact:

An attacker might read out parts or the whole of the database.

Code:

the following code on line 16 in SHOPROOT/catalog/includes/modules/ 
additional_images.php doesn't check the value of the "products_id"  
variable.

$images_product = tep_db_query("SELECT additional_images_id,  
products_id, images_description, medium_images, popup_images FROM " .  
TABLE_ADDITIONAL_IMAGES . " WHERE products_id = '" . $HTTP_GET_VARS 
['products_id'] . "'");

Solution:

Contact the author/vendor.

Workaround:

Change line 16 in SHOPROOT/catalog/includes/modules/ 
additional_images.php to:

$images_product = tep_db_query("SELECT additional_images_id,  
products_id, images_description, medium_images, popup_images FROM " .  
TABLE_ADDITIONAL_IMAGES . " WHERE products_id = '" . (int) 
$HTTP_GET_VARS['products_id'] . "'");

thanks to the guy who found the log entry in question.

bye
defa
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFDRN/RLVkyr1ln0PsRAvq1AKCMsv4mUwkpBw4mWkeRsyuZ620U2wCfad4J
UD8gpoM85ndrWcEeGz0tcZ8=
=ifBl
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists