CS-Cart 2.0.5 SQL Injection

` Bonsai Information Security - Advisory  
http://www.bonsai-sec.com/research/  
  
SQL Injection in CS-Cart  
  
  
1. *Advisory Information*  
  
Title: SQL Injection in CS-Cart  
Advisory ID: BONSAI-2009-0100  
Advisory URL: http://www.bonsai-sec.com/research/vulnerabilities/cs-cart_SQL-injection-0100.txt  
Date published: 2009-08-04  
Vendors contacted: CS-Cart  
Release mode: Coordinated release  
  
  
2. *Vulnerability Information*  
  
Class: SQL Injection  
Remotely Exploitable: Yes  
Locally Exploitable: No  
CVE Name: CVE-2009-2579  
  
  
3. *Software Description*  
  
CS-Cart is an "out of the box" ecommerce software solution with  
easy-to-use functionality that  
allows to start selling online immediately. Its feature set fits into  
businesses of any size, from  
a small single-product shop to a fully-featured online storefront [0].  
  
  
4. *Vulnerability Description*  
  
SQL injection is a code injection technique that exploits a security  
vulnerability occurring in the  
database layer of an application. The vulnerability is present when  
user input is either  
incorrectly filtered for string literal escape characters embedded in  
SQL statements or user input  
is not strongly typed and thereby unexpectedly executed.  
  
For additional information, please look at references [1] and [2].  
  
  
5. *Vulnerable packages*  
  
Version <= 2.0.5  
  
  
6. *Non-vulnerable packages*  
  
CS-Cart developers informed us that all users should upgrade to the  
latest version of CS-Cart,  
(CS-Cart 2.0.6) which fixes this vulnerability. More information to be  
found here:  
http://kb2.simtech/how-to-upgrade  
  
  
7. *Credits*  
  
This vulnerability was discovered by Ryan Dewhurst ( ryan -at- bonsai-sec.com ).  
  
  
8. *Technical Description*  
  
A SQL injection vulnerability was found in the reward_points.post.php  
script, more specifically in  
the $sort_order variable. The vulnerability can be triggered by  
logging into CS-Cart and browsing to:  
  
/index.php?dispatch=reward_points.userlog&result_ids=pagination_contents&sort_by=timestamp&sort_order='  
  
Which will generate a syntax error in the database. The following is  
the corresponding piece of code:  
  
reward_points.post.php:69  
$userlog = db_get_array("SELECT change_id, action, timestamp, amount,  
reason FROM  
?:reward_point_changes WHERE user_id = ?i  
ORDER BY $sort_by $sort_order  
$limit", $user_id);  
  
More information about how to exploit this SQL injection vulnerability can be  
found at Bonsai's blog [3]  
  
  
9. *Report Timeline*  
  
- 2009-07-06:  
Bonsai notifies CS-Cart team of the vulnerability. Technical details  
are sent to the developers.  
  
- 2009-07-09:  
CS-Cart acknowledges and fixes vulnerability, setting release date of  
the upgrade to 15 July 2009.  
  
- 2009-08-04:  
The advisory BONSAI-2009-0100 is published.  
  
  
10. *References*  
  
[0] http://www.cs-cart.com/  
[1] http://www.owasp.org/index.php/SQL_injection  
[2] http://en.wikipedia.org/wiki/SQL_injection  
[3] http://www.bonsai-sec.com/blog/  
  
11. *About Bonsai*  
  
Bonsai is a company involved in providing professional computer  
information security services.  
Currently a sound growth company, since its foundation in early 2009  
in Buenos Aires, Argentina,  
we are fully committed to quality service, and focused on our  
customers’ real needs.  
  
  
12. *Disclaimer*  
  
The contents of this advisory are copyright (c) 2009 Bonsai  
Information Security, and may be  
distributed freely provided that no fee is charged for this  
distribution and proper credit is  
given.  
`