Results 1 to 2 of 2

Threaded View

  1. #1
    Join Date
    Jan 2004
    Posts
    66,364
    Blog Entries
    7
    Plugin Contributions
    274

    Default Security Alert: SQL Injection Risk Aug 31

    Security Alert: SQL Injection Risk

    A vulnerability in Zen Cart v1.3.0-to-1.3.8 has been identified (thanks to Gulftech Security Research) which could potentially allow rogue behavior if the site has magic_quotes_gpc turned off in their server/site's PHP settings.


    You should immediately apply the following fixes to your site, as shown below, according to the version of Zen Cart you're using:



    NOTE: THE FIXES SHOWN BELOW ARE SUPERCEDED BY THE FOLLOWING ANNOUNCEMENT: http://www.zen-cart.com/forum/showthread.php?t=108428



    YOU DO NOT NEED TO MAKE ANY OF THE FOLLOWING CHANGES if you follow the more thorough approach used in this post: http://www.zen-cart.com/forum/showthread.php?t=108428



    The fixes all involve /includes/classes/shopping_cart.php


    1. The following 2-part fix applies to all versions 1.2.x thru 1.3.8a:

    a) Around line 300, simply add the two new lines shown:
    Code:
                  if (is_array($value) ) {
                    reset($value);
                    while (list($opt, $val) = each($value)) {
                      $val = (int)$val;
                      $products_options_sort_order= zen_get_attributes_options_sort_order(zen_get_prid($products_id), $option, $opt);
                      $sql = "insert into " . TABLE_CUSTOMERS_BASKET_ATTRIBUTES . "
                                            (customers_id, products_id, products_options_id, products_options_value_id, products_options_sort_order)
                                            values ('" . (int)$_SESSION['customer_id'] . "', '" . zen_db_input($products_id) . "', '" .
                                            (int)$option.'_chk'. $val . "', '" . $val . "',  '" . $products_options_sort_order . "')";
    
                                            $db->Execute($sql);
                    }
                  } else {
                    if ($attr_value) {
                      $attr_value = zen_db_input($attr_value);
                    }
                    $value = (int)$value;
                    $products_options_sort_order= zen_get_attributes_options_sort_order(zen_get_prid($products_id), $option, $value);
                    $sql = "insert into " . TABLE_CUSTOMERS_BASKET_ATTRIBUTES . "
                                          (customers_id, products_id, products_options_id, products_options_value_id, products_options_value_text, products_options_sort_order)
                                          values ('" . (int)$_SESSION['customer_id'] . "', '" . zen_db_input($products_id) . "', '" .
                                          (int)$option . "', '" . $value . "', '" . $attr_value . "', '" . $products_options_sort_order . "')";
    
                                          $db->Execute($sql);
                  }
    b) Around line 400, you'll see a very similar (but different) block of code. Again, add the new lines, as shown here:
    Code:
              if (is_array($value) ) {
                reset($value);
                while (list($opt, $val) = each($value)) {
                  $val = (int)$val;
                  $products_options_sort_order= zen_get_attributes_options_sort_order(zen_get_prid($products_id), $option, $opt);
                  $sql = "update " . TABLE_CUSTOMERS_BASKET_ATTRIBUTES . "
                            set products_options_value_id = '" . $val . "'
                            where customers_id = '" . (int)$_SESSION['customer_id'] . "'
                            and products_id = '" . zen_db_input($products_id) . "'
                            and products_options_id = '" . (int)$option.'_chk'.$val . "'";
    
                  $db->Execute($sql);
                }
              } else {
                if (isset($_SESSION['customer_id'])) {
                  $value = (int)$value;
                  $sql = "update " . TABLE_CUSTOMERS_BASKET_ATTRIBUTES . "
                            set products_options_value_id = '" . $value . "', products_options_value_text = '" . $attr_value . "'
                            where customers_id = '" . (int)$_SESSION['customer_id'] . "'
                            and products_id = '" . zen_db_input($products_id) . "'
                            and products_options_id = '" . (int)$option . "'";
    
                  $db->Execute($sql);
                }
              }
    2. The following fix applies only to v1.3.0 thru v1.3.8a:

    Depending on what version, this section can be found around line 1650 up to line 1720:
    Simply change the $prodId= line to match what is shown below:
    Code:
      function actionMultipleAddProduct($goto, $parameters) {
        global $messageStack;
        if (is_array($_POST['products_id']) && sizeof($_POST['products_id']) > 0) {
          while ( list( $key, $val ) = each($_POST['products_id']) ) {
            if ($val > 0) {
              $adjust_max = false;
              $prodId = ereg_replace('[^0-9a-f:.]', '', $key);
              $qty = $val;
              $add_max = zen_get_products_quantity_order_max($prodId);
    ...
    NOTE: A quick tip to save some possible problems after making these edits: It is recommended that you remove the closing ?> tag from the very bottom of the file before saving it (otherwise you might end up with errors on your site when trying to add-to-cart if you mistakenly left a blank line at the end of the file).



    Once again, we wish to thank James Bercegay at Gulftech Security Research for his helpful input and assistance in identifying and confirming the fix for this matter.


    These fixes will of course be built-in to the next release of Zen Cart, meaning that versions newer than v1.3.8a are not affected by these reported issues.



    ref:
    gulftech.org/?node=research&article_id=00129-09042008
    securityfocus.com/bid/31023
    Last edited by DrByte; 23 Sep 2008 at 07:54 PM. Reason: update to regex
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

 

 

Similar Threads

  1. Security Alert: SQL Injection Risk - is it on the 1.3.8a
    By imfsub12 in forum General Questions
    Replies: 1
    Last Post: 27 May 2009, 10:53 PM
  2. Security Alert: SQL Injection Protection 2008-09-19
    By DrByte in forum Zen Cart Release Announcements
    Replies: 2
    Last Post: 30 Sep 2008, 06:21 AM
  3. Replies: 1
    Last Post: 29 Sep 2008, 05:55 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg
Zen-Cart, Internet Selling Services, Klamath Falls, OR