Results 1 to 8 of 8
  1. #1
    Join Date
    Jul 2005
    Location
    Orlando, Fl
    Posts
    324
    Plugin Contributions
    0

    Default Who's Online - Strange Links

    Occasionally when I look at Who's Online, i see page links like these:

    /index.php?main_page=product_info&=-1%27
    /index.php?main_page=product_info&...

    Does anyone know what the purpose of this would be?

    Thanks in Advance

    ~D

  2. #2
    Join Date
    Jan 2004
    Posts
    66,364
    Blog Entries
    7
    Plugin Contributions
    274

    Default Re: Who's Online - Strange Links

    Those are not normal, and are not part of typical customer activity.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

  3. #3
    Join Date
    Jul 2005
    Location
    Orlando, Fl
    Posts
    324
    Plugin Contributions
    0

    Default Re: Who's Online - Strange Links

    I see those exact ones often.

    Curious if it's something to worry about.

    The IP's are typically over seas.

  4. #4
    Join Date
    Jan 2004
    Posts
    66,364
    Blog Entries
    7
    Plugin Contributions
    274

    Default Re: Who's Online - Strange Links

    Whoever's doing that is trying to probe for database SQL injection problems by passing parameters which could be used to trick the database into providing unauthorized information or even to change database contents.

    But Zen Cart sanitizes against those kinds of things out-of-the-box.

    If you're using the current version of Zen Cart and haven't added code which changes how database operations work or how data inputs are sanitized and URLs are manipulated, then you should be fine.

    Still, I'd probably be inclined to block anyone doing that.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

  5. #5
    Join Date
    Jul 2005
    Location
    Orlando, Fl
    Posts
    324
    Plugin Contributions
    0

    Default Re: Who's Online - Strange Links

    Thanks DR. B !!

  6. #6
    Join Date
    Jun 2009
    Posts
    39
    Plugin Contributions
    0

    Default Re: Who's Online - Strange Links

    The new one I see has 'A=0 rather than the 1%27.

  7. #7
    Join Date
    Jul 2012
    Posts
    16,719
    Plugin Contributions
    17

    Default Re: Who's Online - Strange Links

    Quote Originally Posted by xandros2000 View Post
    The new one I see has 'A=0 rather than the 1%27.
    Basically the same thing as previously described. It is to accomplish the same goal. Ie, cause an error by the system stating that A=0 is false. As dr. Byte indeicated ZC out of the box handles this fine. Ifnot done already, be sure that any plugins associated are up-to-date. It is possible that older versions allow such statements to be a problem.
    ZC Installation/Maintenance Support <- Site
    Contribution for contributions welcome...

  8. #8
    Join Date
    Jan 2007
    Location
    Australia
    Posts
    6,167
    Plugin Contributions
    7

    Default Re: Who's Online - Strange Links

    Quote Originally Posted by mc12345678 View Post
    A=0 is false
    Although not really important, A=0 equates to True.
    This is a very old trick that was often used to effectively bypass Username/password logins (which would typically return a "false" If they didn't match).
    By inserting something like A=0; would make the response return a "true" no matter what username/password was supplied.
    The variable "A" and the value "0" are arbitrary.
    B=666; is just as effective.

    This is why it is important that all inputs are (or should be) "sanitised" before use (as zencart does)

    Cheers
    RodG

 

 

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg
Zen-Cart, Internet Selling Services, Klamath Falls, OR