Potential SQL Injection in AbleCommerce 5

Version: AbleCommerce 5.x Asp.Net and AbleCommerce 5.x CFMX

Severity: Critical (potentially)

Applies to: All Versions

Release Date:  8/28/2008




Recently, a few AbleCommerce stores have been under attack by a new SQL injection worm circulating the internet.  The worm is targeting scripted pages that are posting information to an MS-SQL database.  So, any page that has a field where input can be entered, is a potential problem source.  

For AbleCommerce stores, the attack has mainly targeted older versions of AbleCommerce 5.2 and 5.5.  If you have been keeping your store updated with all the latest patches and updates, then you should be fine.  However, holes can still exist, either in a customization or a store template that wasn’t part of a core upgrade.  Therefore, AbleCommerce has released a global solution which can easily remedy any potential injection attacks.  The fix is quick and will prevent any harm to your store.  

Pick the applicable fix above, download the fix and open the readme.txt for further instructions.  

IMPORTANT:  ALL AbleCommerce 5.x stores should be patched because of the potential seriousness of this issue.  A successful intrusion attempt can disable your database, bring down your store, and worse, infect your users.


What is an SQL injection attack?

SQL injection is also know as cross-site scripting.  The cross-site scripting attack is one of the most common, yet overlooked, security problems facing web developers today. A web site is vulnerable if it displays user-submitted content without checking for malicious script tags.

The target of cross-site scripting attacks is not the server itself, but the user files on the server, such as forms and other dynamic content. All a malicious attacker needs to do is find a page that does not properly sanitize user input, but returns the scripting code verbatim to the browser of a visitor to that website. It is important to note that websites that use SSL are just as vulnerable as websites that do not encrypt browser sessions.

The damage caused by such an attack can range from stealing session and cookie data from your customers to loading a virus payload onto their computer via browser.

The pages listed in the vulnerability output will display embedded javascript with no filtering back to the user.  


How do I know if my store has been attacked?

If an attack is successful, there would be links to malicious javascript inserted into the text fields of your database.  This in turn, can be displayed on your website and potentially harm your users' computers.

The SQL injection can scan all the tables in the database so it might be difficult to know what data has been corrupted.  We have had reports of the STORES table being injected with bad code and this would immediately shut down your store.  Other reports have included the COUNTRIES table and USERS table.  Unfortunately, there is no one table to look at so the easiest detection will be to look at your website logs.

You will want to search for something like this:

DECLARE @T varchar(255)'@C varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name'b.name from sysobjects a'syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b…


What should I do if my database has been corrupted?

  • First, you should apply the AbleCommerce patch right away so any further attacks can be prevented.  We have found that once the worm finds it's way into your database, it won't stop.

  • Next, you will need to clean your data of any malicious javascript.  It should be obvious where the code has been appended to your existing data.  It might look something like this:


    Depending on your ability to find and update SQL databases, this task will be different for everyone.  You can also restore a backup of the database that is known to be clean.


Testing for Vulnerabilities

If you have custom pages and you want to make sure they are protected with the patch, you can try this quick test:

Make a URL to your website where you will be swapping out the pieces with your domain, path, and page in question.

e.g.   http://www.server.url/path/page.aspx

Now, append the URL with the following so it looks something like this:

(due to formatting issues on this page, you'll need to remove the extra line breaks so it is a single string)



If the file is protected, then you should receive the message "Invalid Request"

Any pages outside of the AbleCommerce program should be checked.  This is your responsibility.

The general solution is to HTML encode data before sending it to the browser.  There are many services on the internet which can help.


How do I get more information?

Here are a couple websites that we found to be helpful.  You can also search for 'sql injection' on google.com