On Sunday 21 January 2007 13:45, saps.audit@xxxxxxxxx wrote: > vendor site: http://fishcart.org/ > product :fish cart > bug:injection sql > risk : medium > > injection sql : > /display.php?cartid=200701210157208&zid=1&lid=1&olimit=5&cat=&key1=&nlst=y& >olst='[sql] > > ( change the cartid value with yours ) > laurent gaffie > http://s-a-p.ca/ > contact: saps.audit@xxxxxxxxx The developers were never notified before this was posted. Had the poster exercised this simple courtesy he would have found that this is not an SQL injection error. A perusal of the open source shows that the olst parameter used in the above URL is never used in an SQL statement. This was in fact a latent condition turned up by the 'nlst' and 'olst' parameters being active simultaneously, a condition not normally seen in FishCart. Artificially setting both active resulting in an inconsistent SQL query and thus a reported SQL error. There was never an SQL injection error here. This is similar to the last erroneous FishCart SQL injection bug, bugtraq ID 13499 of May 4, 2005 reported by 'dcrab', in which an artificially constructed URL not normally occuring in FishCart operation was posted. That URL tripped a condition that resulted in an SQL error due to an inconsistent SQL statement, not an SQL injection error as reported. There never was an SQL injection then. dcrab did not notify the developers in advance either. FishCart has long filtered parameters to avoid SQL injection errors and similar sorts of bugs. The hardening fix for the dcrab report was immediately added to source when reported. The hardening fix for this report is now committed to CVS, and the impending 3.2 release will of course have the fix as well. -- Michael Brennen President, FishNet(R), Inc. Professional Internet Services 972.669.0041
Attachment:
pgpt5In0V4kb0.pgp
Description: PGP signature