/    Sign up×
Community /Pin to ProfileBookmark

MySQL Database Error Disclosure Vulnerability

Copy linkTweet thisAlerts:
Feb 27.2012

Hello my mcafee secure gave me a MySQL Database Error Disclosure Vulnerability error found in this code i installed here is the code in question maybe someone can help me find a fix for it thanks

pfrom=From
pto=To
refine=Refine+your+results
categories_id=334
search_in_description=1
subsearch=0
max_pages=x%27%3B%22%2C%29%60

THE SINGLE BEST WAY TO FIX THIS VULNERABILITY IS TO IDENTIFY THE ACCEPTABLE INPUT FOR EACH FORM PARAMETER AND REJECT INPUT THAT DOES NOT MEET THAT CRITERIA.

The following is an acceptable solution however it is not optimal.

Implement content parsing on data input fields including URL parameters.

Remove the following characters from any user or dynamic database input: (examples in VBScript)

‘ (escape the single quote) input = replace( input, “‘”, “”” )
” (double quote) input = replace( input, “”””, “” )
) (close parenthesis) input = replace( input, “)”, “” )
( (open parenthesis) input = replace( input, “(“, “” )
; (semi-colon) input = replace( input, “;”, “” )
– (dash) input = replace( input, “-“, “” )
| (pipe) input = replace( input, “|”, “” )

On text input it is recommended to append quotes around the user supplied input.

Please contact ScanAlert Support if you need further instructions.

to post a comment
PHP

3 Comments(s)

Copy linkTweet thisAlerts:
@maxtorsauthorFeb 27.2012 — [CODE]<?php require(DIR_WS_LANGUAGES . $language . '/' . FILENAME_ADVANCED_SEARCH); ?>

<script language="javascript" src="includes/general.js"></script>
<script language="javascript" src="includes/jquery1.2.6.js"></script>
<script language="javascript">
<!--
function check_form() {
var error_message = "<?php echo JS_ERROR; ?>";
var error_found = false;
var error_field;
var keywords = document.adv_filter.refine.value;
var pfrom = document.adv_filter.pfrom.value;
var pto = document.adv_filter.pto.value;
var pfrom_float;
var pto_float;

if (((keywords == '') || (keywords.length < 1)) && ((pfrom == '') || (pfrom.length < 1)) && ((pto == '') || (pto.length < 1))) {
error_message = error_message + "* <?php echo ERROR_AT_LEAST_ONE_INPUT; ?>n";
error_field = document.advanced_search.keywords;
error_found = true;
}

if (pfrom.length > 0) {
pfrom_float = parseFloat(pfrom);
if (isNaN(pfrom_float)) {
error_message = error_message + "* <?php echo ERROR_PRICE_FROM_MUST_BE_NUM; ?>n";
error_field = document.advanced_search.pfrom;
error_found = true;
}
} else {
pfrom_float = 0;
}

if (pto.length > 0) {
pto_float = parseFloat(pto);
if (isNaN(pto_float)) {
error_message = error_message + "* <?php echo ERROR_PRICE_TO_MUST_BE_NUM; ?>n";
error_field = document.advanced_search.pto;
error_found = true;
}
} else {
pto_float = 0;
}

if ((pfrom.length > 0) && (pto.length > 0)) {
if ((!isNaN(pfrom_float)) && (!isNaN(pto_float)) && (pto_float < pfrom_float)) {
error_message = error_message + "* <?php echo ERROR_PRICE_TO_LESS_THAN_PRICE_FROM; ?>n";
error_field = document.advanced_search.pto;
error_found = true;
}
}

if (error_found == true) {
alert(error_message);
error_field.focus();
return false;
} else {
return true;
}
}

function popupWindow(url) {
window.open(url,'popupWindow','toolbar=no,location=no,directories=no,status=no,menubar=no,scrollbars=yes,resizable=yes,copyhistory=no,width=450,height=280,screenX=150,screenY=150,top=150,left=150')
}

//Search Box controls
$(document).ready( function() { searchBox(); } );

function searchBox() {
$("#refine").focus( function() {
if(this.value=='<?php echo REFINE_RESULTS; ?>') {
this.value='';
} } );
$("#subsearch").click(
function() {
if($("#refine").val()=='<?php echo REFINE_RESULTS; ?>') {
$("#refine").val('');
} } );
$("#refine").blur(
function() {
if(this.value=='') {
this.value='<?php echo REFINE_RESULTS; ?>';
}; } );
$("#pfrom").focus( function() {
if(this.value=='<?=PRICE_FROM?>') {
this.value='';
} } );
$("#subsearch").click(
function() {
if($("#pfrom").val()=='<?=PRICE_FROM?>') {
$("#pfrom").val('');
} } );
$("#pfrom").blur(
function() {
if(this.value=='') {
this.value='<?=PRICE_FROM?>';
}; } );
$("#pto").focus( function() {
if(this.value=='<?=PRICE_TO?>') {
this.value='';
} } );
$("#subsearch").click(
function() {
if($("#pto").val()=='<?=PRICE_TO?>') {
$("#pto").val('');
} } );
$("#pto").blur(
function() {
if(this.value=='') {
this.value='<?=PRICE_TO?>';
}; } );
}

//-->
</script>
<?php

$hold_max_pages = MAX_DISPLAY_SEARCH_RESULTS;

if ($HTTP_POST_VARS['max_pages']) {
$hold_max_pages = $HTTP_POST_VARS['max_pages'];
} else {
$hold_max_pages = MAX_DISPLAY_SEARCH_RESULTS;
}

$error = false;

if ( (isset($HTTP_POST_VARS['refine']) && empty($HTTP_POST_VARS['refine'])) &&
(isset($HTTP_POST_VARS['pfrom']) && !is_numeric($HTTP_POST_VARS['pfrom'])) &&
(isset($HTTP_POST_VARS['pto']) && !is_numeric($HTTP_POST_VARS['pto'])) ) {
$error = true;

$messageStack->add_session('search', ERROR_AT_LEAST_ONE_INPUT);
} else {
$pfrom = '';
$pto = '';
$keywords = '';

if (isset($HTTP_POST_VARS['pfrom']) && $HTTP_POST_VARS['pfrom'] !== PRICE_FROM) {
$pfrom = $HTTP_POST_VARS['pfrom'];
}

if (isset($HTTP_POST_VARS['pto']) && $HTTP_POST_VARS['pto'] !== PRICE_TO) {
$pto = $HTTP_POST_VARS['pto'];
}

if (isset($HTTP_POST_VARS['refine']) && $HTTP_POST_VARS['refine'] !== REFINE_RESULTS) {
$keywords = $HTTP_POST_VARS['refine'];
}

$price_check_error = false;
if (tep_not_null($pfrom)) {
if (!settype($pfrom, 'double')) {
$error = true;
$price_check_error = true;

$messageStack->add_session('search', ERROR_PRICE_FROM_MUST_BE_NUM);
}
}

if (tep_not_null($pto)) {
if (!settype($pto, 'double')) {
$error = true;
$price_check_error = true;

$messageStack->add_session('search', ERROR_PRICE_TO_MUST_BE_NUM);
}
}

if (($price_check_error == false) && is_float($pfrom) && is_float($pto)) {
if ($pfrom >= $pto) {
$error = true;

$messageStack->add_session('search', ERROR_PRICE_TO_LESS_THAN_PRICE_FROM);
}
}

if (tep_not_null($keywords)) {
if (!tep_parse_search_string($keywords, $search_keywords)) {
$error = true;

$messageStack->add_session('search', ERROR_INVALID_KEYWORDS);
}
}
}

if (empty($pfrom) && empty($pto) && empty($keywords)) {
$error = true;

$messageStack->add_session('search', ERROR_AT_LEAST_ONE_INPUT);
}

if ((isset($HTTP_POST_VARS['refine']) && (!empty($HTTP_POST_VARS['refine']) || ($HTTP_POST_VARS['refine'] !== REFINE_RESULTS))) ||
(isset($HTTP_POST_VARS['pfrom']) && is_numeric($HTTP_POST_VARS['pfrom'])) ||
(isset($HTTP_POST_VARS['pto']) && is_numeric($HTTP_POST_VARS['pto']))) {[/CODE]
Copy linkTweet thisAlerts:
@maxtorsauthorFeb 27.2012 — [CODE]// create column list
$define_list = array('PRODUCT_LIST_MODEL' => PRODUCT_LIST_MODEL,
'PRODUCT_LIST_NAME' => PRODUCT_LIST_NAME,
'PRODUCT_LIST_MANUFACTURER' => PRODUCT_LIST_MANUFACTURER,
'PRODUCT_LIST_PRICE' => PRODUCT_LIST_PRICE,
'PRODUCT_LIST_QUANTITY' => PRODUCT_LIST_QUANTITY,
'PRODUCT_LIST_WEIGHT' => PRODUCT_LIST_WEIGHT,
'PRODUCT_LIST_IMAGE' => PRODUCT_LIST_IMAGE,
'PRODUCT_LIST_BUY_NOW' => PRODUCT_LIST_BUY_NOW);

asort($define_list);

$column_list = array();
reset($define_list);
while (list($key, $value) = each($define_list)) {
if ($value > 0) $column_list[] = $key;
}

$select_column_list = '';

for ($i=0, $n=sizeof($column_list); $i<$n; $i++) {
switch ($column_list[$i]) {
case 'PRODUCT_LIST_MODEL':
$select_column_list .= 'p.products_model, ';
break;
case 'PRODUCT_LIST_MANUFACTURER':
$select_column_list .= 'm.manufacturers_name, ';
break;
case 'PRODUCT_LIST_QUANTITY':
$select_column_list .= 'p.products_quantity, ';
break;
case 'PRODUCT_LIST_IMAGE':
$select_column_list .= 'p.products_image, ';
break;
case 'PRODUCT_LIST_WEIGHT':
$select_column_list .= 'p.products_weight, ';
break;
}
}

$select_str = "select distinct " . $select_column_list . " m.manufacturers_id, p.products_id, pd.products_name, p.products_price, p.products_tax_class_id, IF(s.status, s.specials_new_products_price, NULL) as specials_new_products_price, IF(s.status, s.specials_new_products_price, p.products_price) as final_price ";

if ( (DISPLAY_PRICE_WITH_TAX == 'true') && (tep_not_null($pfrom) || tep_not_null($pto)) ) {
$select_str .= ", SUM(tr.tax_rate) as tax_rate ";
}

$from_str = "from ((" . TABLE_PRODUCTS . " p) left join " . TABLE_MANUFACTURERS . " m using(manufacturers_id), " . TABLE_PRODUCTS_DESCRIPTION . " pd) left join " . TABLE_SPECIALS . " s on p.products_id = s.products_id, " . TABLE_CATEGORIES . " c, " . TABLE_PRODUCTS_TO_CATEGORIES . " p2c";

if ( (DISPLAY_PRICE_WITH_TAX == 'true') && (tep_not_null($pfrom) || tep_not_null($pto)) ) {
if (!tep_session_is_registered('customer_country_id')) {
$customer_country_id = STORE_COUNTRY;
$customer_zone_id = STORE_ZONE;
}
$from_str .= " left join " . TABLE_TAX_RATES . " tr on p.products_tax_class_id = tr.tax_class_id left join " . TABLE_ZONES_TO_GEO_ZONES . " gz on tr.tax_zone_id = gz.geo_zone_id and (gz.zone_country_id is null or gz.zone_country_id = '0' or gz.zone_country_id = '" . (int)$customer_country_id . "') and (gz.zone_id is null or gz.zone_id = '0' or gz.zone_id = '" . (int)$customer_zone_id . "')";
}

$where_str = " where p.products_status = '1' and p.products_id = pd.products_id and pd.language_id = '" . (int)$languages_id . "' and p.products_id = p2c.products_id and p2c.categories_id = c.categories_id ";

if (isset($HTTP_POST_VARS['categories_id']) && tep_not_null($HTTP_POST_VARS['categories_id'])) {
if (isset($HTTP_POST_VARS['inc_subcat']) && ($HTTP_POST_VARS['inc_subcat'] == '1')) {
$subcategories_array = array();
tep_get_subcategories($subcategories_array, $HTTP_POST_VARS['categories_id']);

$where_str .= " and p2c.products_id = p.products_id and p2c.products_id = pd.products_id and (p2c.categories_id = '" . (int)$HTTP_POST_VARS['categories_id'] . "'";

for ($i=0, $n=sizeof($subcategories_array); $i<$n; $i++ ) {
$where_str .= " or p2c.categories_id = '" . (int)$subcategories_array[$i] . "'";
}

$where_str .= ")";
} else {
$where_str .= " and p2c.products_id = p.products_id and p2c.products_id = pd.products_id and pd.language_id = '" . (int)$languages_id . "' and p2c.categories_id = '" . (int)$HTTP_POST_VARS['categories_id'] . "'";
}
}

if (isset($HTTP_POST_VARS['manufacturers_id']) && tep_not_null($HTTP_POST_VARS['manufacturers_id'])) {
$where_str .= " and m.manufacturers_id = '" . (int)$HTTP_POST_VARS['manufacturers_id'] . "'";
}

if (isset($search_keywords) && (sizeof($search_keywords) > 0)) {
$where_str .= " and (";
for ($i=0, $n=sizeof($search_keywords); $i<$n; $i++ ) {
switch ($search_keywords[$i]) {
case '(':
case ')':
case 'and':
case 'or':
$where_str .= " " . $search_keywords[$i] . " ";
break;
default:
$keyword = tep_db_prepare_input($search_keywords[$i]);
$where_str .= "(pd.products_name like '%" . tep_db_input($keyword) . "%' or p.products_model like '%" . tep_db_input($keyword) . "%' or m.manufacturers_name like '%" . tep_db_input($keyword) . "%'";
if (isset($HTTP_POST_VARS['search_in_description']) && ($HTTP_POST_VARS['search_in_description'] == '1')) $where_str .= " or pd.products_description like '%" . tep_db_input($keyword) . "%'";
$where_str .= ')';
break;
}
}
$where_str .= " )";
}

if (tep_not_null($pfrom)) {
if ($currencies->is_set($currency)) {
$rate = $currencies->get_value($currency);

$pfrom = $pfrom / $rate;
}
}

if (tep_not_null($pto)) {
if (isset($rate)) {
$pto = $pto / $rate;
}
}

if (DISPLAY_PRICE_WITH_TAX == 'true') {
if ($pfrom > 0) $where_str .= " and (IF(s.status, s.specials_new_products_price, p.products_price) * if(gz.geo_zone_id is null, 1, 1 + (tr.tax_rate / 100) ) >= " . (double)$pfrom . ")";
if ($pto > 0) $where_str .= " and (IF(s.status, s.specials_new_products_price, p.products_price) * if(gz.geo_zone_id is null, 1, 1 + (tr.tax_rate / 100) ) <= " . (double)$pto . ")";
} else {
if ($pfrom > 0) $where_str .= " and (IF(s.status, s.specials_new_products_price, p.products_price) >= " . (double)$pfrom . ")";
if ($pto > 0) $where_str .= " and (IF(s.status, s.specials_new_products_price, p.products_price) <= " . (double)$pto . ")";
}

if ( (DISPLAY_PRICE_WITH_TAX == 'true') && (tep_not_null($pfrom) || tep_not_null($pto)) ) {
$where_str .= " group by p.products_id, tr.tax_priority";
}

if ( (!isset($HTTP_POST_VARS['sort'])) || (!ereg('[1-8][ad]', $HTTP_POST_VARS['sort'])) || (substr($HTTP_POST_VARS['sort'], 0, 1) > sizeof($column_list)) ) {
for ($i=0, $n=sizeof($column_list); $i<$n; $i++) {
if ($column_list[$i] == 'PRODUCT_LIST_NAME') {
$HTTP_POST_VARS['sort'] = $i+1 . 'a';
$order_str = ' order by pd.products_name';
break;
}
}
} else {
$sort_col = substr($HTTP_POST_VARS['sort'], 0 , 1);
$sort_order = substr($HTTP_POST_VARS['sort'], 1);
$order_str = ' order by ';
switch ($column_list[$sort_col-1]) {
case 'PRODUCT_LIST_MODEL':
$order_str .= "p.products_model " . ($sort_order == 'd' ? "desc" : "") . ", pd.products_name";
break;
case 'PRODUCT_LIST_NAME':
$order_str .= "pd.products_name " . ($sort_order == 'd' ? "desc" : "");
break;
case 'PRODUCT_LIST_MANUFACTURER':
$order_str .= "m.manufacturers_name " . ($sort_order == 'd' ? "desc" : "") . ", pd.products_name";
break;
case 'PRODUCT_LIST_QUANTITY':
$order_str .= "p.products_quantity " . ($sort_order == 'd' ? "desc" : "") . ", pd.products_name";
break;
case 'PRODUCT_LIST_IMAGE':
$order_str .= "pd.products_name";
break;
case 'PRODUCT_LIST_WEIGHT':
$order_str .= "p.products_weight " . ($sort_order == 'd' ? "desc" : "") . ", pd.products_name";
break;
case 'PRODUCT_LIST_PRICE':
$order_str .= "final_price " . ($sort_order == 'd' ? "desc" : "") . ", pd.products_name";
break;
}
}

$listing_sql = $select_str . $from_str . $where_str . $order_str;

}

$listing_split = new splitPageResults($listing_sql, $hold_max_pages, 'p.products_id');

if (($listing_split->number_of_rows > 0) && ((PREV_NEXT_BAR_LOCATION == '1') || (PREV_NEXT_BAR_LOCATION == '3'))) { ?>

<div class="infoBoxContents" style="padding:0.5em; text-align:center;">
<form name="filter" action="<?php echo tep_href_link(basename($PHP_SELF),tep_get_all_get_params(array('pfrom', 'pto', 'refine', 'page', 'info', 'x', 'y', 'manufacturers_id'))); ?>" method="post">
<label for="pfrom" class="fieldKey"><?=PRICE_RANGE?></label>
<input id="pfrom" name="pfrom" value="<?=PRICE_FROM?>" class="fieldValue" style="width:5em" /> -
<input id="pto" name="pto" value="<?=PRICE_TO?>" class="fieldValue" style="width:5em" />
<input id="refine" type='text' name='refine' value="<?=REFINE_RESULTS?>" style='width:42%;' class="fieldValue" />
<?php echo tep_draw_hidden_field('categories_id', (int)$current_category_id) . tep_draw_hidden_field('search_in_description', '1') . tep_image_submit('button_search.gif', IMAGE_BUTTON_SEARCH, "id='subsearch' name='subsearch' style='margin:0 5px;'"); ?>
<div style="display:inline-block; width:49%; margin: 0.5em 0; text-align:center;">
<?php[/CODE]
Copy linkTweet thisAlerts:
@maxtorsauthorFeb 27.2012 — [CODE]// optional Product List Filter
if (PRODUCT_LIST_FILTER > 0) {
$filterlist_sql = "select distinct m.manufacturers_id as id, m.manufacturers_name as name from " . TABLE_PRODUCTS . " p, " . TABLE_PRODUCTS_TO_CATEGORIES . " p2c, " . TABLE_MANUFACTURERS . " m where p.products_status = '1' and p.manufacturers_id = m.manufacturers_id and p.products_id = p2c.products_id and p2c.categories_id = '" . (int)$current_category_id . "' order by m.manufacturers_name";

$filterlist_query = tep_db_query($filterlist_sql);

if (tep_db_num_rows($filterlist_query) > 1) {

echo tep_draw_hidden_field('cPath', $cPath);
$options = array(array('id' => '', 'text' => TEXT_ALL_MANUFACTURERS));

echo tep_draw_hidden_field('sort', $HTTP_POST_VARS['sort']);

while ($filterlist = tep_db_fetch_array($filterlist_query)) {
$options[] = array('id' => $filterlist['id'], 'text' => $filterlist['name']);
}

echo tep_draw_pull_down_menu('manufacturers_id', $options, (isset($HTTP_POST_VARS['manufacturers_id']) ? $HTTP_POST_VARS['manufacturers_id'] : ''), 'onchange="this.form.submit()"');
}
}
?>
</div><div style="display:inline-block; width:49%; margin: 0.5em 0; text-align:center;">
<?php
$all = $listing_split->number_of_rows;

$page_options = array(array('id' => $hold_max_pages, 'text' => sprintf(SHOWING_RESULTS, $hold_max_pages)));
$page_options[] = array('id' => $all, 'text' => sprintf(SHOW_RESULTS, 'All') . " ($all)");
$page_options[] = array('id' => 5, 'text' => sprintf(SHOW_RESULTS, 5));
$page_options[] = array('id' => 15, 'text' => sprintf(SHOW_RESULTS, 15));
$page_options[] = array('id' => 25, 'text' => sprintf(SHOW_RESULTS, 25));
$page_options[] = array('id' => 50, 'text' => sprintf(SHOW_RESULTS, 50));

echo tep_hide_session_id();
echo tep_draw_pull_down_menu('max_pages', $page_options, '', 'onchange="this.form.submit()"');
?>
</div>
</form>
<div>
<?php
// Sort columns by ??? You may need to rearrange the numbers in order of your columns in product listing
echo SORT_BY . tep_create_sort_heading($HTTP_GET_VARS['sort'], 1, TABLE_HEADING_MODEL) . '&nbsp;|&nbsp;' .
tep_create_sort_heading($HTTP_GET_VARS['sort'], 4, TABLE_HEADING_PRODUCTS) . '&nbsp;|&nbsp;' .
tep_create_sort_heading($HTTP_GET_VARS['sort'], 2, TABLE_HEADING_MANUFACTURER) . '&nbsp;|&nbsp;' .
tep_create_sort_heading($HTTP_GET_VARS['sort'], 5, TABLE_HEADING_PRICE);
?>
</div>
</div>
<div class="smallText" style="display:inline-block; width:49%;"><?php echo $listing_split->display_count(TEXT_DISPLAY_NUMBER_OF_PRODUCTS); ?></div>
<div class="smallText" style="display:inline-block; width:49%; text-align:right;"><?php echo TEXT_RESULT_PAGE . ' ' . $listing_split->display_links(MAX_DISPLAY_PAGE_LINKS, tep_get_all_get_params(array('page', 'info', 'x', 'y'))); ?></div>
<?php } ?>
[/CODE]
×

Success!

Help @maxtors spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 6.17,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @nearjob,
tipped: article
amount: 1000 SATS,

tipper: @meenaratha,
tipped: article
amount: 1000 SATS,

tipper: @meenaratha,
tipped: article
amount: 1000 SATS,
)...