Security Alert: SQL Injection Protection 2008-09-19

[DrByte]

UPDATE TO Security Alert: SQL Injection Risk

On Aug 31 we posted an alert regarding an SQL Injection Vulnerability

Further code review has revealed that the proposed code fix was incomplete.
Also, the "fix" recommended previously was somewhat complicated to implement due to the need to edit PHP files in a few places.

As such, the following fix is recommended.

ALL v1.2.x and v1.3.x STORES SHOULD INSTALL THIS SIMPLE PATCH:

a) Download and unzip the attached file (shown in the next post, below).
b) Use your FTP program to upload the file to your /includes/extra_configures/ folder
That's all.

• This one fix applies to both v1.2.x and v1.3.x
• If you've already applied the Aug 31 patch updates, you need to make an edit to them, as documented in the next post below ... and you should still install the patch file.
• If you haven't installed the Aug 31 update, you don't need to: just install the patch file below instead.

Thanks to Yuki Shida at zen-cart.jp for assistance in this discovery.

[DrByte]

UPDATE:

Apparently the fixes from Aug 31 and Sept 19 (above) were a little over-enthusiastic , and can break functionality in two specific cases:
a) if you have checkbox-style attributes assigned to your products, they can't be added to your cart
b) if you have your store set to use fractional product quantities, the quantity was being handled wrong because it was disallowing the decimal point.

Thus, two adjustments are needed:

1. ** EVERYONE SHOULD DO THIS ** The attached patch file is an update to (and yes, is the *same* filename), and should replace, the one originally issued on Sept 19. After unzipping, it should be uploaded to /includes/extra_configures/
If you have not already uploaded this patch, you should do it now, using the attached file.

2. ** SOME SITES SHOULD DO THIS **
* If you have NOT already made the Aug 31 edits, you can ignore them and just use the attached patch file, installing it as described in the post above.

* If you *HAVE* already made the Aug 31 edits to /includes/classes/shopping_cart.php and you are using v1.3.x, you NEED to fix it as shown below:
Specifically, you will need to change the last line you edited, and add a "." inside the square brackets as shown:
Change from this:

Code:

          $prodId = ereg_replace('[^0-9a-f:]', '', $key);

to this:

Code:

          $prodId = ereg_replace('[^0-9a-f:.]', '', $key);

NOTE: These changes are not compatible with PHP 5.3. If using PHP 5.3, apply the PHP 5.3 patch AFTER making these changes.

[DrByte]

And ... for everyone who wonders ...

The "missing" ?> tag at the end of the file is intentional. See this related FAQ: http://tutorials.zen-cart.com/index.php?article=313