[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: E-Store SQL Injection Vulnerability



Previously discovered:

http://packetstormsecurity.org/0812-exploits/estore-sql.txt 856a5dc9cba52e892cbb54bd2e1a0a82 getaphpsite e-store suffers from a remote SQL injection vulnerability in SearchResults.php. Authored By <a href="mailto:trt-turk[at]hotmail.com";>ZoRLu</a>

On Fri, Dec 11, 2009 at 05:50:54AM +0100, Salvatore Fresta aka Drosophila wrote:
> E-Store SQL Injection Vulnerability
> 
>  Name              E-Store
>  Vendor            http://www.getaphpsite.com
> 
>  Author            Salvatore Fresta aka Drosophila
>  Website           http://www.salvatorefresta.net
>  Contact           salvatorefresta [at] gmail [dot] com
>  Date              2009-09-03
> 
> X. INDEX
> 
>  I.    ABOUT THE APPLICATION
>  II.   DESCRIPTION
>  III.  ANALYSIS
>  IV.   SAMPLE CODE
>  V.    FIX
>  VI.   DISCLOSURE TIMELINE
> 
> 
> I. ABOUT THE APPLICATION
> 
> E-Store is a commercial PHP e-commerce.
> 
> 
> II. DESCRIPTION
> 
> This application presents a SQL Injection bug.
> 
> 
> III. ANALYSIS
> 
> Summary:
> 
>  A) SQL Injection
> 
> A) SQL Injection
> 
> The GET where parameter  passed to SearchResults.php has not
> properly sanitised. Because of the affected query, the Magic
> Quotes GPC flag (php.in) may be on.
> 
> 
> IV. SAMPLE CODE
> 
> http://site/path/SearchResults.php?SearchTerm=&where=ItemName UNION
> ALL SELECT 1,@@version,3,4,5,6,7,8,9,10,11,12,13,14,15,16%23&ord1=ItemName&ord2=asc&search1=Go!
> 
> 
> V. FIX
> 
> No patch.