iScripts MultiCart 2.2 SQL Injection

`iScripts MultiCart 2.2 Multiple SQL Injection Vulnerability  
  
Name iScripts MultiCart  
Vendor http://www.iscripts.com  
Versions Affected 2.2  
  
Author Salvatore Fresta aka Drosophila  
Website http://www.salvatorefresta.net  
Contact salvatorefresta [at] gmail [dot] com  
Date 2010-03-07  
  
X. INDEX  
  
I. ABOUT THE APPLICATION  
II. DESCRIPTION  
III. ANALYSIS  
IV. SAMPLE CODE  
V. FIX  
  
  
I. ABOUT THE APPLICATION  
  
iScripts MultiCart 2.2 is a unique online shopping cart  
solution that enables you to have one storefront and  
multiple vendors for physical or digital (downloadable)   
products.  
  
  
II. DESCRIPTION  
  
The solution adopted to avoid SQL Injection flaws is not  
appropriate. This allows the existence of many SQL   
Injection flaws.  
  
  
III. ANALYSIS  
  
Summary:  
  
A) Multiple SQL Injection  
  
  
A) Multiple SQL Injection  
  
The solution adopted consists in transforming the query  
string in uppercase and checking the existence of the  
words UNION and SELECT. But using the C-like comments in  
the query string, it is possible to bypass the filter.  
Example:  
  
SELECT becomes SE/**/LE/**/CT  
UNION becomes UN/**/ION  
  
The new strings do not match with the words in the black  
list but they are good for MySQL.  
The following is the affected code (session.php):  
  
$mystring = strtoupper($_SERVER['QUERY_STRING']);  
$server_injec1=strpos($mystring, 'SELECT');  
$server_injec2=strpos($mystring, 'UNION');  
  
if (($server_injec1 === false) && ($server_injec2 === false) || ($server_injec1 === '0') && ($server_injec2 === '0'))   
{  
;  
}//end if  
else  
{  
header('location:index.php');  
exit();  
}  
  
  
IV. SAMPLE CODE  
  
A) Multiple SQL Injection  
  
http://site/path/refund_request.php?orderid=SQL  
  
  
V. FIX  
  
No Fix.  
  
`