iScripts MultiCart 2.2 Multiple SQL Injection Vulnerability

 Name              iScripts MultiCart
 Vendor            http://www.iscripts.com
 Versions Affected 2.2

 Author            Salvatore Fresta aka Drosophila
 Website           http://www.salvatorefresta.net
 Contact           salvatorefresta [at] gmail [dot] com
 Date              2010-03-07

X. INDEX

 I.    ABOUT THE APPLICATION
 II.   DESCRIPTION
 III.  ANALYSIS
 IV.   SAMPLE CODE
 V.    FIX
 

I. ABOUT THE APPLICATION

iScripts  MultiCart  2.2 is a unique online shopping cart
solution  that  enables  you  to  have one storefront and
multiple  vendors  for physical or digital (downloadable) 
products.


II. DESCRIPTION

The  solution adopted to avoid SQL Injection flaws is not
appropriate.   This  allows  the  existence  of  many SQL 
Injection flaws.


III. ANALYSIS

Summary:

 A) Multiple SQL Injection
 

A) Multiple SQL Injection

The  solution adopted  consists in transforming the query
string in uppercase and  checking  the  existence  of the
words UNION and SELECT.  But using the C-like comments in
the query string, it is possible to bypass the filter.
Example:

SELECT becomes SE/**/LE/**/CT
UNION  becomes UN/**/ION

The new strings do not match with  the words in the black
list but they are good for MySQL.
The following is the affected code (session.php):

$mystring = strtoupper($_SERVER['QUERY_STRING']);
$server_injec1=strpos($mystring, 'SELECT');
$server_injec2=strpos($mystring, 'UNION');

if (($server_injec1 === false) && ($server_injec2 === false) || ($server_injec1 === '0') && ($server_injec2 === '0')) 
{
	;
}//end if
else
{
	header('location:index.php');
	exit();
}


IV. SAMPLE CODE

A) Multiple SQL Injection

http://site/path/refund_request.php?orderid=SQL


V. FIX

No Fix.