by r0t,der4444,cembo,VietMafia

Friday, November 25, 2005

CS-Cart SQL inj. vuln.

CS-Cart SQL inj. vuln.

Vuln. dicovered by : r0t
Date: 25 nov. 2005
Vendor:www.cs-cart.com
affected version: Latest.


Product description:
CS-Cart is a turnkey solution that includes all of the necessary features and functions to successfully build an online product store/catalog. It is ready to use "out of the box". With its easy to use functionality you can immediately start to build and operate an ecommerce website of any complexity: from a simple offline product catalog to fully-featured interactive online store. Optimized programming code makes it possible to build catalogs that can easily handle over 10,000 product and informational pages. And integrated HTML catalog tool allows generating a search-engine friendly version of your website.


Vuln. Description:

Input passed to the "sort_by" and "sort_order" parameters isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

example:
/index.php?target=products&mode=search&subcats=
Y&type=extended&avail=Y&pshor=Y&pfull=Y&pname
=Y&cid=0&q=&x=11&y=3&sort_by=[SQL]

/index.php?target=products&mode=search&subcats=
Y&type=extended&avail=Y&pshor=Y&pfull=Y&pname=Y&cid
=0&q=%27&x=11&y=3&sort_by=product&sort_order=[SQL]


Solution:
Edit the source code to ensure that input is properly sanitised.

3 Comments:

Anonymous Anonymous told...

Actually, CS-Cart filters and sanitizes all data came into script from user.
Thus there is no any possibility to apply any kind of SQL injection with CS-Cart.
The bug described in this article is just a bug but not vulnerability as it causes script execution error and can't be used to affect any data anyhow.

Anyway, this is already fixed in the latest CS-Cart version.

9:49 AM

 
Anonymous r0t told...

No SQL injection was real... its good to hear that you fix in new version...

7:41 PM

 
Anonymous Anonymous told...

CS-Cart shopping cart with a fix you can download now All bugs are fixed

7:21 AM

 

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew