Re: AFCommerce Shopping Cart
Hi, thank you for reporting this problem. I am Paul, the author of the
software, so I would like to do everything possible to correct this issue. The
free version of my software is not open source, and not that the encryption is
protecting it very well, I'm sure a good hacker could crack the encryption, but
the point is to not let the security features be readable to everyone, so
hopefully it will lessen problems like this.
Ok, so with that said, I tested the classic 'or 1=1 on my demo store, and
nothing was returned. It said no matching results, so are you sure this worked
for you ? I know I am not perfect in any way so I will always look in to this
stuff, but when I first read your post I was confused because I attacked my own
site for hours checking for that exact kind of attack.
I don't like to publicly post too much info about how and why I set things up,
as to not give anyone any ideas on how to attack my software, but the search
feature (I thought) would not be attackable. Now since you did it already, I
may be wrong, but I do not use the keywords inside the sql statement. For
example, I do not use anything like: select * from products where name =
'userinputvariable'. I have some security functions set up to clean user input,
if you know the software, its afc_secure_string_POST. In the search script, I
use that function for all input EXCEPT the keywords, but that is because the
keywords are not used at all in sql statements (actually none of the input is).
Basically, I break the keywords down in to separate words (explode by spaces),
then I do my own sql select statements (without any user input at all) and
simply check to see if the words match. There is more to my search than that,
but for this topic that is all that matters. So if someone were
to type in any sql injection code, that code would never be queried. Your 'or
1=1 would simply be stored in an array, in your example it would consider it 2
different words (if you didn't use the space it would be one keyword), but the
only time that word would be used is in a substr_count statement, which can not
do any damage. If this problem does exist, please report back what i am missing
from your comment, but since it did not work for me just now, and also since
the keywords never hit an sql statement, at this point I will disagree with
you. Also make sure you did this on my current demo store, which uses version
2.5. I know that version 1 sucked as far as validation was concerned. I first
released the code just to see if anyone would use it, so it was done quickly,
but after I had a small following, I added a whole bunch of security features
in version 2, and validated EVERYTHING (I hope). Feel free to mess with my demo
store, http://crinicart.com , just please do no
t attack my server or do any damage. As for now, I see your comments as
helping the project find holes, which is great, I do want it to be perfect. So
if you find something I will be more than willing to listen, just please do not
do any damage to prove a point. Its not necessary since I will try out anything
that comes up.
Your second point about the reviews, I am about to test that now. With this,
you are probably correct. I had more validation in there, but people complain
when I did that because they couldn't add html. I though text only was fine,
but I wanted to make people happy. I am probably going to take out all < and >
symbols. It does check for normal php tags, but I guess someone could still use
a script html tag for php attacks. So since it currently allows html I agree
someone could deface the site, but only when reading the attacked review, and
since most users do not use that feature, I didn't see it as a big deal. Also,
the review is escaped with mysql_real_escape_string and a few other things. the
only way this could be perfect is to strip all html tags, and that was already
in my mind to do.
I'd like to hear what you think, as well as, anyone else with an opinion about
your comments (and mine). If a problem is found, it will be fixed the next day,
but its tough to be the only developer of software used by many people because
I get all kinds of developers telling me something is written poorly just to
feel better about themselves. You sound like you know what you are talking
about, so I took your comments seriously. If you are correct, like I said I
will fix it and thank you. If you are not, I would like to clear it up so my
users do not become scared, or hurt my creditibility.
Thank you,
Paul Crinigan