Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Interchange>
  3. users
SQL Injection?
bob at nleaudio
Sep 19, 2014, 8:58 AM
Post #1 of 9 (1908 views)
Permalink
Hi guys,

Looks like I may have another issue. Again, the reference:
CentOS 6, Perl 5.10.1 (non-threaded), IC 5.8.2. Just ran a PCI scan from
controlscan.com, and they came back with a mess of SQL Injection vulns. Here
are a couple:


THREAT REFERENCE

Summary:
Blind SQL injection vulnerability in mv_search_field parameter to
/cgi-bin/cart/search.html?id=PC9Bp9yf

Risk: High (3)
Port: 80/tcp
Protocol: tcp
Threat ID: web_prog_sql_blind

Details: When a web application uses user-supplied input parameters
within SQL queries without first checking them for unexpected
characters, it becomes possible for an attacker to
manipulate the query. This type of attack is known as a
SQL injection attack.
For example, suppose a web program passes the following
query to the database application:
SELECT * FROM USERS WHERE USERNAME='$user' AND PASSWORD='$pass'
where $user and $pass are variables supplied by the user through a web form.
So if the user were to enter the name "admin" and the password "abc", the
query would become:
SELECT * FROM USERS WHERE USERNAME='admin' AND PASSWORD='abc'
and the database would return any existing record where the username is
"admin" and the password is "abc", thus authenticating
the user if the password "abc" is correct. Now suppose an attacker were to
enter a malformed password such as the following:
' OR 'a'='a
Inserting the malformed password into the query exactly as
it appears above would cause the query to become:
SELECT * FROM USERS WHERE USERNAME='admin' AND PASSWORD='' OR 'a'='a'
The resulting query would return the records where the username
is "admin" and the password is null OR the string 'a' equals 'a', which is
always true.
Thus, by manipulating the SQL query, all records are returned from the table
without having known the correct password.
This is just one example of an attack which is possible
using SQL injection. Other forms of attacks could allow
the attacker to gain unauthorized read, write, or delete
access to the database, or to retrieve passwords.
There are also security bypass vulnerabilities which allow for the
bypass of anti-sql-injection filters in the software.

Information From Target:
Service: 80:TCP
MySQL-style database, SQL SET / WHERE
Response time:
0 seconds normal response
16 seconds executing injected delay
0 seconds executing injected non-delay
15 seconds executing injected delay again
Sent:
POST /cgi-bin/cart/search.html?id=PC9Bp9yf HTTP/1.0
Host: www.hostname.com
User-Agent: Mozilla/5.0
Content-length: 160
Content-Type: application/x-www-form-urlencoded
Connection: Keep-Alive
Cookie: MV_SESSION_ID=PC9Bp9yf:207.198.99.27

mv_session_id=PC9Bp9yf&mv_searchtype=db&mv_matchlimit=10&mv_sort_field=category&mv_search_field=x'%20xor%20sleep(15)%20/*&mv_substring_match=1&mv_searchspec=123
Received: HTTP/1.1 200 OK

--------------------------------------------------------------------
Information From Target:
Service: 443:TCP
MS-SQL-style database, SQL SET / WHERE
Response time:
1 seconds normal response
16 seconds executing injected delay
0 seconds executing injected non-delay
15 seconds executing injected delay again
Sent:
POST /cgi-bin/cart/process.html HTTP/1.0
Host: 127.0.0.1
User-Agent: Mozilla/5.0
Content-length: 518
Content-Type: application/x-www-form-urlencoded
Connection: Keep-Alive
Cookie: MV_SESSION_ID=PC9Bp9yf:207.198.99.27

mv_session_id=ongV2b9t&mv_doit=refresh&mv_orderpage=ord%2Fbasket&mv_nextpage=index&quantity0=0&quantity0=1&quantity1=0&quantity1=1&quantity2=0&quantity2=1&quantity3=0&quantity3=1&quantity4=0&quantity4=1&quantity5=0&quantity5=1&quantity6=0&quantity6=1&%5C%27mv_click_map%5C%27=%5C%27Check_Out%5C%27&%5C%27mv_click_Check_Out%5C%27=%5C%27%5C%27&mv_click=Check+Out&zip=123&%5C%27mv_click_map%5C%27=%5C%27Check_Shipping%5C%27&%5C%27mv_click_Check_Shipping%5C%27=%5C%27%5C%27&mv_click=x")%20waitf

---------------------------------------------------------------------
Information From Target:
Service: 443:TCP
MS-SQL-style database, SQL SET / WHERE
Response time:
1 seconds normal response
15 seconds executing injected delay
0 seconds executing injected non-delay
15 seconds executing injected delay again
Sent:
POST /cgi-bin/cart/ord/next_step.html?id=ongV2b9t HTTP/1.0
Host: 127.0.0.1
User-Agent: Mozilla/5.0
Content-length: 341
Content-Type: application/x-www-form-urlencoded
Connection: Keep-Alive
Cookie: MV_SESSION_ID=PC9Bp9yf:207.198.99.27

mv_action=return&mv_nextpage=ord%2Fbilling&mv_failpage=x')%20waitfor%20delay%20'00:00:15'%20/*&mv_form_profile=Check_shipping&fname=123&lname=123&company=123&address1=123&address2=123&city=123&state=123&zip=123&country=123&phone_ship=123&phone_day=123&phone_night=123&email=123&mv_same_billing=1&email_copy=1&promo_code=123&country_reset=123
Received: HTTP/1.1 200 OK
-----------------------------------------------------------------------

Is there something I have forgotten?

Bob

_______________________________________________
interchange-users mailing list
interchange-users@icdevgroup.org
http://www.icdevgroup.org/mailman/listinfo/interchange-users
Re: SQL Injection? [ In reply to ]
jon at endpoint
Sep 19, 2014, 9:36 AM
Post #2 of 9 (1880 views)
Permalink
On Fri, 19 Sep 2014, Bob Puff wrote:

> Looks like I may have another issue. Again, the reference: CentOS 6,
> Perl 5.10.1 (non-threaded), IC 5.8.2. Just ran a PCI scan from
> controlscan.com, and they came back with a mess of SQL Injection vulns.

Thanks for the report, Bob. Most of us running production ecommerce sites
on Interchange created them some years ago and their template and page
code has diverged significantly from the standard demo, so our fixes for
past SQL injections may not have applied to the standard demo.

We welcome any patches you can contribute to fix such problems in the
demo!

It is typically easy to fix in ITL code by using:

[filter op=sql interpolate=1]...[/filter]

or

[PREFIX-filter sql]...[/filter]

around the SQL, or the js filter in JavaScript code or the entities filter
for plain HTML text.

Thanks,
Jon

--
Jon Jensen
End Point Corporation
http://www.endpoint.com/

_______________________________________________
interchange-users mailing list
interchange-users@icdevgroup.org
http://www.icdevgroup.org/mailman/listinfo/interchange-users
Re: SQL Injection? [ In reply to ]
bob at nleaudio
Sep 19, 2014, 10:19 AM
Post #3 of 9 (1884 views)
Permalink
Hi Jon,

> It is typically easy to fix in ITL code by using:

> [filter op=sql interpolate=1]...[/filter]

> or

> [PREFIX-filter sql]...[/filter]

> around the SQL, or the js filter in JavaScript code or the entities filter
> for plain HTML text.

Thanks for the reply. You are correct in that this is code from the older
demo. I don't recall there being specific SQL in the pages in question,
although I will have a closer look. What does the filter you posted above
need to wrap around? Is that a generic statement that will apply to any
field, or do I need to specifically call out a variable name?

Bob


_______________________________________________
interchange-users mailing list
interchange-users@icdevgroup.org
http://www.icdevgroup.org/mailman/listinfo/interchange-users
Re: SQL Injection? [ In reply to ]
jon at endpoint
Sep 19, 2014, 10:26 AM
Post #4 of 9 (1889 views)
Permalink
On Fri, 19 Sep 2014, Bob Puff wrote:

> What does the filter you posted above need to wrap around? Is that a
> generic statement that will apply to any field, or do I need to
> specifically call out a variable name?

I would go around any user-supplied data that is to be put into SQL, e.g.
off the top of my head:

[query sql="SELECT * FROM products WHERE title LIKE '[sql-filter sql][cgi search][/sql-filter]'"]

Jon


--
Jon Jensen
End Point Corporation
http://www.endpoint.com/
+1 507-399-0057

_______________________________________________
interchange-users mailing list
interchange-users@icdevgroup.org
http://www.icdevgroup.org/mailman/listinfo/interchange-users
Re: SQL Injection? [ In reply to ]
bob at nleaudio
Sep 23, 2014, 10:26 PM
Post #5 of 9 (1863 views)
Permalink
Hi Guys,

I've corrected all the [sql ... entries in my cart, but yet I cannot find
where mv_click or the search stuff is done, that is reported below. I've
looked in all the pages, and in all the templates. Where do I find this?

search.html, process.html, and next_step.html are all files that don't
actually exist. mv_fail_page - how does that even hit a SQL query?

Bob

reference:
--------------------------------------------------------------
Information From Target:
Service: 80:TCP
MySQL-style database, SQL SET / WHERE
Response time:
0 seconds normal response
16 seconds executing injected delay
0 seconds executing injected non-delay
15 seconds executing injected delay again
Sent:
POST /cgi-bin/cart/search.html?id=PC9Bp9yf HTTP/1.0
Host: www.hostname.com
User-Agent: Mozilla/5.0
Content-length: 160
Content-Type: application/x-www-form-urlencoded
Connection: Keep-Alive
Cookie: MV_SESSION_ID=PC9Bp9yf:207.198.99.27

mv_session_id=PC9Bp9yf&mv_searchtype=db&mv_matchlimit=10&mv_sort_field=category&mv_search_
field=x'%20xor%20sleep(15)%20/*&mv_substring_match=1&mv_searchspec=123
Received: HTTP/1.1 200 OK

--------------------------------------------------------------------
Information From Target:
Service: 443:TCP
MS-SQL-style database, SQL SET / WHERE
Response time:
1 seconds normal response
16 seconds executing injected delay
0 seconds executing injected non-delay
15 seconds executing injected delay again
Sent:
POST /cgi-bin/cart/process.html HTTP/1.0
Host: 127.0.0.1
User-Agent: Mozilla/5.0
Content-length: 518
Content-Type: application/x-www-form-urlencoded
Connection: Keep-Alive
Cookie: MV_SESSION_ID=PC9Bp9yf:207.198.99.27

mv_session_id=ongV2b9t&mv_doit=refresh&mv_orderpage=ord%2Fbasket&mv_nextpage=index&quantit
y0=0&quantity0=1&quantity1=0&quantity1=1&quantity2=0&quantity2=1&quantity3=0&quantity3=1&q
uantity4=0&quantity4=1&quantity5=0&quantity5=1&quantity6=0&quantity6=1&%5C%27mv_click_map%
5C%27=%5C%27Check_Out%5C%27&%5C%27mv_click_Check_Out%5C%27=%5C%27%5C%27&mv_click=Check+Out
&zip=123&%5C%27mv_click_map%5C%27=%5C%27Check_Shipping%5C%27&%5C%27mv_click_Check_Shipping
%5C%27=%5C%27%5C%27&mv_click=x")%20waitf

---------------------------------------------------------------------
Information From Target:
Service: 443:TCP
MS-SQL-style database, SQL SET / WHERE
Response time:
1 seconds normal response
15 seconds executing injected delay
0 seconds executing injected non-delay
15 seconds executing injected delay again
Sent:
POST /cgi-bin/cart/ord/next_step.html?id=ongV2b9t HTTP/1.0
Host: 127.0.0.1
User-Agent: Mozilla/5.0
Content-length: 341
Content-Type: application/x-www-form-urlencoded
Connection: Keep-Alive
Cookie: MV_SESSION_ID=PC9Bp9yf:207.198.99.27

mv_action=return&mv_nextpage=ord%2Fbilling&mv_failpage=x')%20waitfor%20delay%20'00:00:15'%
20/*&mv_form_profile=Check_shipping&fname=123&lname=123&company=123&address1=123&address2=
123&city=123&state=123&zip=123&country=123&phone_ship=123&phone_day=123&phone_night=123&em
ail=123&mv_same_billing=1&email_copy=1&promo_code=123&country_reset=123
Received: HTTP/1.1 200 OK
-----------------------------------------------------------------------

_______________________________________________
interchange-users mailing list
interchange-users@icdevgroup.org
http://www.icdevgroup.org/mailman/listinfo/interchange-users
Re: SQL Injection? [ In reply to ]
peter at pajamian
Sep 23, 2014, 10:51 PM
Post #6 of 9 (1853 views)
Permalink
On 09/24/2014 05:26 PM, Bob Puff wrote:
> I've corrected all the [sql ... entries in my cart, but yet I cannot find
> where mv_click or the search stuff is done, that is reported below. I've
> looked in all the pages, and in all the templates. Where do I find this?
>
> search.html, process.html, and next_step.html are all files that don't
> actually exist. mv_fail_page - how does that even hit a SQL query?

http://interchange.rtfm.info/icdocs/Special_form_variables.html
http://interchange.rtfm.info/icdocs/Interchange_form_actions.html


Peter

_______________________________________________
interchange-users mailing list
interchange-users@icdevgroup.org
http://www.icdevgroup.org/mailman/listinfo/interchange-users
Re: SQL Injection? [ In reply to ]
mikeh at perusion
Sep 24, 2014, 3:46 AM
Post #7 of 9 (1854 views)
Permalink
Quoting Bob Puff (bob@nleaudio.com):
> Hi Guys,
>
> I've corrected all the [sql ... entries in my cart, but yet I cannot find
> where mv_click or the search stuff is done, that is reported below. I've
> looked in all the pages, and in all the templates. Where do I find this?
>
> search.html, process.html, and next_step.html are all files that don't
> actually exist. mv_fail_page - how does that even hit a SQL query?

Did you look in etc/profiles.* or include/profiles? You appear
to be using an old module, CGI::Imagemap. That is used along with
mv_click_map to map IC actions to an image map.

If you have shell access, grep is your friend.

grep -rl Check.Out *
grep -rl Check.Shipping *

That will tell you where in files you might find actions named "Check
Out" and "Check Shipping" which are defined in your mv_click_map. If
the above is very slow you can try:

grep -rl Check.Out catalog.cfg etc/ include/ pages/ variables/ templates/

(You can do the same sort of thing from the Admin tab of the IC admin interface,
using the file search function.)

>
> Bob
>
> reference:
> --------------------------------------------------------------
> Information From Target:
> Service: 80:TCP
> MySQL-style database, SQL SET / WHERE
> Response time:
> 0 seconds normal response
> 16 seconds executing injected delay
> 0 seconds executing injected non-delay
> 15 seconds executing injected delay again
> Sent:
> POST /cgi-bin/cart/search.html?id=PC9Bp9yf HTTP/1.0
> Host: www.hostname.com
> User-Agent: Mozilla/5.0
> Content-length: 160
> Content-Type: application/x-www-form-urlencoded
> Connection: Keep-Alive
> Cookie: MV_SESSION_ID=PC9Bp9yf:207.198.99.27
>
> mv_session_id=PC9Bp9yf&mv_searchtype=db&mv_matchlimit=10&mv_sort_field=category&mv_search_
> field=x'%20xor%20sleep(15)%20/*&mv_substring_match=1&mv_searchspec=123
> Received: HTTP/1.1 200 OK
>
> --------------------------------------------------------------------
> Information From Target:
> Service: 443:TCP
> MS-SQL-style database, SQL SET / WHERE
> Response time:
> 1 seconds normal response
> 16 seconds executing injected delay
> 0 seconds executing injected non-delay
> 15 seconds executing injected delay again
> Sent:
> POST /cgi-bin/cart/process.html HTTP/1.0
> Host: 127.0.0.1
> User-Agent: Mozilla/5.0
> Content-length: 518
> Content-Type: application/x-www-form-urlencoded
> Connection: Keep-Alive
> Cookie: MV_SESSION_ID=PC9Bp9yf:207.198.99.27
>
> mv_session_id=ongV2b9t&mv_doit=refresh&mv_orderpage=ord%2Fbasket&mv_nextpage=index&quantit
> y0=0&quantity0=1&quantity1=0&quantity1=1&quantity2=0&quantity2=1&quantity3=0&quantity3=1&q
> uantity4=0&quantity4=1&quantity5=0&quantity5=1&quantity6=0&quantity6=1&%5C%27mv_click_map%
> 5C%27=%5C%27Check_Out%5C%27&%5C%27mv_click_Check_Out%5C%27=%5C%27%5C%27&mv_click=Check+Out
> &zip=123&%5C%27mv_click_map%5C%27=%5C%27Check_Shipping%5C%27&%5C%27mv_click_Check_Shipping
> %5C%27=%5C%27%5C%27&mv_click=x")%20waitf
>
> ---------------------------------------------------------------------
> Information From Target:
> Service: 443:TCP
> MS-SQL-style database, SQL SET / WHERE
> Response time:
> 1 seconds normal response
> 15 seconds executing injected delay
> 0 seconds executing injected non-delay
> 15 seconds executing injected delay again
> Sent:
> POST /cgi-bin/cart/ord/next_step.html?id=ongV2b9t HTTP/1.0
> Host: 127.0.0.1
> User-Agent: Mozilla/5.0
> Content-length: 341
> Content-Type: application/x-www-form-urlencoded
> Connection: Keep-Alive
> Cookie: MV_SESSION_ID=PC9Bp9yf:207.198.99.27
>
> mv_action=return&mv_nextpage=ord%2Fbilling&mv_failpage=x')%20waitfor%20delay%20'00:00:15'%
> 20/*&mv_form_profile=Check_shipping&fname=123&lname=123&company=123&address1=123&address2=
> 123&city=123&state=123&zip=123&country=123&phone_ship=123&phone_day=123&phone_night=123&em
> ail=123&mv_same_billing=1&email_copy=1&promo_code=123&country_reset=123
> Received: HTTP/1.1 200 OK
> -----------------------------------------------------------------------
>
> _______________________________________________
> interchange-users mailing list
> interchange-users@icdevgroup.org
> http://www.icdevgroup.org/mailman/listinfo/interchange-users

--
Mike Heins
Perusion -- Expert Interchange Consulting http://www.perusion.com/
phone +1.765.253.4194 <mike@perusion.com>

I used to think the whole world stank. Then I found out I had poop
on my mustache. -- Anonymous

_______________________________________________
interchange-users mailing list
interchange-users@icdevgroup.org
http://www.icdevgroup.org/mailman/listinfo/interchange-users
Re: SQL Injection? [ In reply to ]
bob at nleaudio
Sep 24, 2014, 8:18 AM
Post #8 of 9 (1846 views)
Permalink
Peter and Mike: thanks for the reply. Yes, I have grepped all around, and
have fixed the few sql queries I did find. But what is still escaping me is
in this list of paremeters:

>
mv_session_id=PC9Bp9yf&mv_searchtype=db&mv_matchlimit=10&mv_sort_field=category&mv_search_
> field=x'%20xor%20sleep(15)%20/*&mv_substring_match=1&mv_searchspec=123

I cannot find where there is a SQL statement that has mv_search_field in it,
so that I can filter it. This one though obviously is a parameter for a SQL
statement. Do I need to look inside /usr/local/interchange?

But this one:

>
mv_action=return&mv_nextpage=ord%2Fbilling&mv_failpage=x')%20waitfor%20delay%20'00:00:15'%
>
20/*&mv_form_profile=Check_shipping&fname=123&lname=123&company=123&address1=123&address2=
>
123&city=123&state=123&zip=123&country=123&phone_ship=123&phone_day=123&phone_night=123&em
> ail=123&mv_same_billing=1&email_copy=1&promo_code=123&country_reset=123

They have done their insertion into mv_nextpage, of which I would think would
never hit the SQL, as that is internally used by IC. I could see if it were
like city or state, which does get inserted into the database, but mv_nextpage?

Bob


_______________________________________________
interchange-users mailing list
interchange-users@icdevgroup.org
http://www.icdevgroup.org/mailman/listinfo/interchange-users
Re: SQL Injection? [ In reply to ]
peter at pajamian
Sep 24, 2014, 2:22 PM
Post #9 of 9 (1849 views)
Permalink
On 09/25/2014 03:18 AM, Bob Puff wrote:
> mv_session_id=PC9Bp9yf&mv_searchtype=db&mv_matchlimit=10&mv_sort_field=category&mv_search_
>> field=x'%20xor%20sleep(15)%20/*&mv_substring_match=1&mv_searchspec=123

That looks like you have a syntax error in some perl, an improperly
terminated quote or something because you have perl code in your
mv_search_field and that's wrong.

> mv_action=return&mv_nextpage=ord%2Fbilling&mv_failpage=x')%20waitfor%20delay%20'00:00:15'%
>>
> 20/*&mv_form_profile=Check_shipping&fname=123&lname=123&company=123&address1=123&address2=
>>
> 123&city=123&state=123&zip=123&country=123&phone_ship=123&phone_day=123&phone_night=123&em
>> ail=123&mv_same_billing=1&email_copy=1&promo_code=123&country_reset=123

Again, the same thing, mv_failpage looks like some quoted text is
improperly terminated and there's stuff in it that should not be.


Peter

_______________________________________________
interchange-users mailing list
interchange-users@icdevgroup.org
http://www.icdevgroup.org/mailman/listinfo/interchange-users

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal