SQL injection vulnerability exists in oscommerce2 #672
Description
1 Vulnerability basic information
- Name of software: oscommerce2
- Affected version: v2.2ms2-060817 <= oscommerce2 <= v2.3.4.1
- Types of vulnerabilities: sql injection (CWE-89)
- Vulnerability description and hazards: admin\modules.php in oscommerce2 uses unsanitized variables to construct SQL statements, leading to SQL injection vulnerabilities. Allows authenticated users to execute malicious SQL commands to obtain sensitive information in the database and facilitate subsequent attacks.
- Vulnerability contributor: Qin Mai, Xinyi Wang of VARAS@IIE
2 Cause of vulnerability
Analysis code version: v2.3.4.1
The vulnerability code is in admin\modules.php:37,as shown below:
In line 36 of the code above, the program takes $key and the corresponding $value from $HTTP_POST_VARS['configuration'] in the form of key value pairs, and constructs the SQL statement with $key and $value as string concatenation in line 37.After review, the program uses do_magic_quotes_gpc() in includes\functions\compatibility.php to sanitize the $HTTP_POST_VARS variable, and the simplified code looks like this:
if (!get_magic_quotes_gpc()) {
do_magic_quotes_gpc($HTTP_GET_VARS);
do_magic_quotes_gpc($HTTP_POST_VARS);
do_magic_quotes_gpc($HTTP_COOKIE_VARS);
}
function do_magic_quotes_gpc(&$ar) {
if (!is_array($ar)) return false;
reset($ar);
while (list($key, $value) = each($ar)) {
if (is_array($ar[$key])) {
do_magic_quotes_gpc($ar[$key]);
} else {
$ar[$key] = addslashes($value);
}
}
reset($ar);
}A review of the above disinfection code reveals that: the program's do_magic_quotes_gpc() only sterilizes the $value of $HTTP_POST_VARS['configuration'], ignoring the value of $key, An unfiltered $key value is used to construct SQL statements in admin\modules.php:37, resulting in an SQL injection vulnerability.
3 Vulnerability recurrence
Version: v2.3.4.1
- 1) Log in to the application for authorization
- 2) Use POC to trigger vulnerability
- Get the MySQL version by error injection:
- Get the current MySQL user name by error injection:
- The administrator password is obtained through error injection:
- Get the MySQL version by error injection:
4 Vulnerability fixes
admin\modules.php:37
Add the addslashes() function to the $key argument
...
if (tep_not_null($action)) {
switch ($action) {
case 'save':
reset($HTTP_POST_VARS['configuration']);
while (list($key, $value) = each($HTTP_POST_VARS['configuration'])) {
tep_db_query("update " . TABLE_CONFIGURATION . " set configuration_value = '" . $value . "' where configuration_key = '" . addslashes($key) . "'");
}
...