Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: AFCommerce Shopping Cart
From: contact () afcommerce com
Date: 20 Jul 2006 00:16:20 -0000

Hi, thank you for reporting this problem. I am Paul, the author of the software, so I would like to do everything 
possible to correct this issue. The free version of my software is not open source, and not that the encryption is 
protecting it very well, I'm sure a good hacker could crack the encryption, but the point is to not let the security 
features be readable to everyone, so hopefully it will lessen problems like this. 

Ok, so with that said, I tested the classic 'or 1=1 on my demo store, and nothing was returned. It said no matching 
results, so are you sure this worked for you ? I know I am not perfect in any way so I will always look in to this 
stuff, but when I first read your post I was confused because I attacked my own site for hours checking for that exact 
kind of attack. 

I don't like to publicly post too much info about how and why I set things up, as to not give anyone any ideas on how 
to attack my software, but the search feature (I thought) would not be attackable. Now since you did it already, I may 
be wrong, but I do not use the keywords inside the sql statement. For example, I do not use anything like: select * 
from products where name = 'userinputvariable'. I have some security functions set up to clean user input, if you know 
the software, its afc_secure_string_POST. In the search script, I use that function for all input EXCEPT the keywords, 
but that is because the keywords are not used at all in sql statements (actually none of the input is). Basically, I 
break the keywords down in to separate words (explode by spaces), then I do my own sql select statements (without any 
user input at all) and simply check to see if the words match. There is more to my search than that, but for this topic 
that is all that matters. So if someone were
  to type in any sql injection code, that code would never be queried. Your 'or 1=1 would simply be stored in an array, 
in your example it would consider it 2 different words (if you didn't use the space it would be one keyword), but the 
only time that word would be used is in a substr_count statement, which can not do any damage. If this problem does 
exist, please report back what i am missing from your comment, but since it did not work for me just now, and also 
since the keywords never hit an sql statement, at this point I will disagree with you. Also make sure you did this on 
my current demo store, which uses version 2.5. I know that version 1 sucked as far as validation was concerned. I first 
released the code just to see if anyone would use it, so it was done quickly, but after I had a small following, I 
added a whole bunch of security features in version 2, and validated EVERYTHING (I hope). Feel free to mess with my 
demo store, http://crinicart.com , just please do no
 t attack my server or do any damage. As for now, I see your comments as helping the project find holes, which is 
great, I do want it to be perfect. So if you find something I will be more than willing to listen, just please do not 
do any damage to prove a point. Its not necessary since I will try out anything that comes up.

Your second point about the reviews, I am about to test that now. With this, you are probably correct. I had more 
validation in there, but people complain when I did that because they couldn't add html. I though text only was fine, 
but I wanted to make people happy. I am probably going to take out all < and > symbols. It does check for normal php 
tags, but I guess someone could still use a script html tag for php attacks. So since it currently allows html I agree 
someone could deface the site, but only when reading the attacked review, and since most users do not use that feature, 
I didn't see it as a big deal. Also, the review is escaped with mysql_real_escape_string and a few other things. the 
only way this could be perfect is to strip all html tags, and that was already in my mind to do.

I'd like to hear what you think, as well as, anyone else with an opinion about your comments (and mine). If a problem 
is found, it will be fixed the next day, but its tough to be the only developer of software used by many people because 
I get all kinds of developers telling me something is written poorly just to feel better about themselves. You sound 
like you know what you are talking about, so I took your comments seriously. If you are correct, like I said I will fix 
it and thank you. If you are not, I would like to clear it up so my users do not become scared, or hurt my 
creditibility.

Thank you,
Paul Crinigan


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]