Al Brookbanks Posted November 23, 2004 Share Posted November 23, 2004 Hello, CC 2.0.2 has been released today which fixes possible SQL Injection and/or path disclosure in its predecessor. Please download this here: CubeCart 2.0.2 Upgrade instructions are provided with in the download package and outlined below: Link to comment Share on other sites More sharing options...
Al Brookbanks Posted November 23, 2004 Author Share Posted November 23, 2004 ################################################## ###### UPGRADE FROM CubeCart 2.0.1 to 2.0.2 ###### ################################################## This update fixes some important security issues which may otherwise lead to MySQL Injection or Server Path Disclosure. Upgrade instructions: Please follow the instructions outlined below. Estimated time: 5 Mins to 1hr depending on experience and upgrade method. If you have a version of CubeCart which has no modifications simply overwrite the files on your server with the ones listed below. If you are a licensed customer please edit admin/settings.inc.php manually as outlined below. IMPORTANT. MANUAL UPDATE MAY TAKE UPTO ONE HOUR DEPENDING ON EXPERIENCE. IF YOU HAVE LIMITED TIME PLEASE USE QUICK FIX METHOD (A) AND THEN DO A COMPLETE UPGRADE AT YOUR CONVENIANCE (RECOMMENDED FIX METHOD (B)). See below. PLEASE REPORT AND BUGS RELATED TO THIS UPGRADE FILE TO [email protected] AT THE FIRST OPPORTUNITY. ################################# ## START OF QUICK FIX METHOD (A) ################################# Files to edit: 1. index.php /////////////////////////////// //Open index.php //////// At around line 169 find: +---------------------------------------------------- $sql_select = mysql_query( "SELECT * FROM ".$prefix."store_category where cat_father_id = $cat_id order by $cat_order"); +---------------------------------------------------- Replace with: +---------------------------------------------------- $sql_select = mysql_query( "SELECT * FROM ".$prefix."store_category where cat_father_id = '$cat_id' order by $cat_order"); +---------------------------------------------------- ################################# ## END OF QUICK FIX METHOD ################################# ################################# ## START OF RECOMMENDED FIX METHOD (B) ################################# Files to edit: 1. admin/settings.inc.php 2. index.php 3. view_product.php 4. tellafriend.php 5. view_cart.php 6. ver.php 7. login.php ################################################## ###### START OF MANUAL UPGRADE INSTRUCTIONS ###### ################################################## /////////////////////////////// //Open admin/settings.inc.php //////// At around line 246 find: +---------------------------------------------------- ?> +---------------------------------------------------- Replace with: +---------------------------------------------------- function cleanData($variable, $type, $theDefinedValue = "", $theNotDefinedValue = "") { Â $variable = (!get_magic_quotes_gpc()) ? addslashes($variable) : $variable; Â switch ($type) { Â Â case "text": Â Â Â $variable = ($variable != "") ? $variable : "NULL"; Â Â Â break; Â Â Â Â case "long": Â Â case "int": Â Â Â $variable = ($variable != "") ? intval($variable) : "NULL"; Â Â Â break; Â Â case "double": Â Â Â $variable = ($variable != "") ? doubleval($variable) : "NULL"; Â Â Â break; Â Â case "date": Â Â Â $variable = ($variable != "") ? $variable : "NULL"; Â Â Â break; Â Â case "defined": Â Â Â $variable = ($variable != "") ? $theDefinedValue : $theNotDefinedValue; Â Â Â break; Â } Â return $variable; } ?> +---------------------------------------------------- /////////////////////////////// // Open view_doc.php //////// At around line 42 find +---------------------------------------------------- $sql = "select doc_name,doc_content from ".$prefix."store_docs where doc_id='$view_doc'"; +---------------------------------------------------- Replace with: +---------------------------------------------------- $sql = "select doc_name,doc_content from ".$prefix."store_docs where doc_id=".cleanData($view_doc,"int"); +---------------------------------------------------- /////////////////////////////// //Open index.php //////// At around line 154 find: +---------------------------------------------------- $sql_select = mysql_query( "SELECT * FROM ".$prefix."store_category where cat_id='$cat_id' order by $cat_order"); +---------------------------------------------------- Replace with: +---------------------------------------------------- $sql_select = mysql_query( "SELECT * FROM ".$prefix."store_category where cat_id='".cleanData($cat_id,"int")."' order by ".cleanData($cat_order,"text")); +---------------------------------------------------- At around line 169 find: +---------------------------------------------------- $sql_select = mysql_query( "SELECT * FROM ".$prefix."store_category where cat_father_id = $cat_id order by $cat_order"); +---------------------------------------------------- Replace with: +---------------------------------------------------- $sql_select = mysql_query( "SELECT * FROM ".$prefix."store_category where cat_father_id = '".cleanData($cat_id,"int")."' order by ".cleanData($cat_order,"text")); +---------------------------------------------------- Find at around Line 242: +---------------------------------------------------- $query_count = " SELECT * FROM ".$prefix."store_inventory where cat_id='$cat_id' order by $prod_order"; +---------------------------------------------------- Change to: +---------------------------------------------------- $query_count = " SELECT * FROM ".$prefix."store_inventory where cat_id='".cleanData($cat_id,"int")."' order by ".cleanData($prod_order,"text"); +---------------------------------------------------- Find at around line 251: +---------------------------------------------------- $query = "SELECT * FROM ".$prefix."store_inventory where cat_id='$cat_id' order by $prod_order LIMIT $limitvalue, $limit"; +---------------------------------------------------- Replace with: +---------------------------------------------------- $query = "SELECT * FROM ".$prefix."store_inventory where cat_id='".cleanData($cat_id,"int")."' order by ".cleanData($prod_order,"text")." LIMIT ".$limitvalue.", ".cleanData($limit,"int"); Â +---------------------------------------------------- /////////////////////////////// // Open view_product.php //////// Find at around line 52: +---------------------------------------------------- $select_prod = mysql_query( "SELECT * FROM ".$prefix."store_inventory WHERE product='$product'"); +---------------------------------------------------- Replace with: +---------------------------------------------------- $select_prod = mysql_query( "SELECT * FROM ".$prefix."store_inventory WHERE product='".cleanData($product,"text")."'"); +---------------------------------------------------- Find at around line 77: +---------------------------------------------------- $sql_update = "update ".$prefix."store_inventory set popularity='$new_pop' where product='$product';"; +---------------------------------------------------- Replace with: +---------------------------------------------------- $sql_update = "update ".$prefix."store_inventory set popularity='$new_pop' where product='".cleanData($product,"text")."'"; +---------------------------------------------------- Find at around line 84: +---------------------------------------------------- $select_cat = mysql_query( "SELECT * FROM ".$prefix."store_category WHERE cat_id='$cat_id'"); +---------------------------------------------------- Replace with: +---------------------------------------------------- $select_cat = mysql_query( "SELECT * FROM ".$prefix."store_category WHERE cat_id='".cleanData($cat_id,"int")."'"); +---------------------------------------------------- /////////////////////////////// // Open file tellafriend.php //////// At around line 45 find: +---------------------------------------------------- $select = mysql_query ("select * from ".$prefix."store_inventory where product='$product'"); +---------------------------------------------------- Replace with: +---------------------------------------------------- $select = mysql_query ("select * from ".$prefix."store_inventory where product='".cleanData($product,"text")."'"); +---------------------------------------------------- /////////////////////////////// // Open file view_cart.php //////// At around line 48: +---------------------------------------------------- $result = mysql_query("SELECT * FROM ".$prefix."store_inventory WHERE product='$add'"); +---------------------------------------------------- Replace with: +---------------------------------------------------- $result = mysql_query("SELECT * FROM ".$prefix."store_inventory WHERE product='".cleanData($add,"text")."'"); +---------------------------------------------------- Find at around line 94: +---------------------------------------------------- $result = mysql_query("SELECT * FROM ".$prefix."store_inventory WHERE product='$remove'"); +---------------------------------------------------- Replace with: +---------------------------------------------------- $result = mysql_query("SELECT * FROM ".$prefix."store_inventory WHERE product='".cleanData($remove,"text")."'"); +---------------------------------------------------- Find at about line 128: +---------------------------------------------------- mysql_query( "DELETE FROM ".$prefix."store_shopping WHERE session='$session' AND id='$prod_id'"); +---------------------------------------------------- Replace with: +---------------------------------------------------- mysql_query( "DELETE FROM ".$prefix."store_shopping WHERE session='".cleanData($session,"text")."' AND id='".cleanData($prod_id,"text")."'"); +---------------------------------------------------- /////////////////////////////// //Open ver.php //////// At around line 2 find: +---------------------------------------------------- $estore_ver="2.0.1"; +---------------------------------------------------- Replace with: +---------------------------------------------------- $estore_ver="2.0.2"; +---------------------------------------------------- /////////////////////////////// // Open login.php //////// At around line 35 find: +---------------------------------------------------- if ($email && $password) +---------------------------------------------------- Replace with: +---------------------------------------------------- if ($_POST['email'] && $_POST['password']) +---------------------------------------------------- At around line 39 find: +---------------------------------------------------- $query = "select * from ".$prefix."store_customer where email='$email' and password=('$passwd')"; +---------------------------------------------------- Replace with: +---------------------------------------------------- $query = "select * from ".$prefix."store_customer where email='".cleanData($_POST['email'],"text")."' and password=('$passwd')"; +---------------------------------------------------- ################################# ## END OF RECOMMENDED FIX METHOD (B) ################################# Link to comment Share on other sites More sharing options...
Recommended Posts