Results 1 to 7 of 7

Thread: Discussion: MySQL Security in OSCMAX

  1. #1
    red_fraggle
    Guest


    Exclamation Discussion: MySQL Security in OSCMAX

    We might as well start a discussion on several security related issues as they pertain to OSCMAX and MySQL.

    We all know that OSCMAX is not PCI compliant since MySQL injection is possible with this application due to form data not being properly sanitized before any query is run to the database. This enables arbitrary injection of MySQL queries by hackers.

    Specifically OSCMAX appears to be vulnerable to the standard database error disclosure vulnerability which allows an attacker to output database specific errors in the applicaiton which will give them the database version in use, and further allow them to inject database syntax that would allow them to extract data.

    The single best fix for this is to change the database queries in OSCMAX to use parameterized queries, or stored procedures. Or at the least to escape all user supplied input. All three of these methods would affectively prevent MySQL injection attacks on OSCMAX as an application and, at least for the "escaping user supplied input", is relatively easy to implement.

    There is a database encoder specifically written for MySQL (MySQL CODEC) being maintained by the ESAPI project, you can find info about it here,Category:OWASP Enterprise Security API - OWASP and it is part of the OWASP Interprise Security API. It is simple to implement as it requires a small change to the form quries in OSCMAX.

    I would really like to know what you Michael think about this isue, what plans are being devised to tighten security in OSCMAX, and if you think the ESAPI route to correcting this issue?

    As it stands now OSCMAX cannot be certified PCI compliant due to these issues.




    For reference:

    MySQL Database Error Disclosure Vulnerability
    Port First Detected Category
    80 19-JUN-2009 09:46 Database
    Protocol Fix Difficulty Impact
    Other Medium SQL Injection
    Description
    During our analysis of your web application, we were able to intentionally generate database specific errors. By causing a system to output errors such as these, it is often possible to determine the database version and inject database command syntax that would allow us to extract data. The information gathered from the specific error responses generated using various input validation techniques by the web application scanner has determined the remote host may be running a MySQL database.

    Confidential - McAfee Security Audit Report Page 8
    The extent of the damage that can be caused by this vulnerability varies greatly depending on environment and configuration. While input validation via webapp may cause a database to generate an error, the database configuration will also play an important role in determining how much it can be altered. A remote attacker may be able to gain access to very sensitive information, or gain administrative access.

    This is not an exhaustive test and has not identified all of the forms and variables that may be affected by this vulnerability.

    CVSS 5.0

    Solution
    THE SINGLE BEST WAY TO FIX THIS VULNERABILITY IS TO IDENTIFY THE ACCEPTABLE INPUT FOR EACH FORM PARAMETER AND REJECT INPUT THAT DOES NOT MEET THAT CRITERIA.

    The following is an acceptable solution however it is not optimal.
    Implement content parsing on data input fields including URL parameters.
    Remove the following characters from any user or dynamic database input: (examples in VBScript)
    ' (escape the single quote) input = replace( input, "'", "''" ) " (double quote) input = replace( input, """", "" ) ) (close parenthesis)
    input = replace( input, ")", "" ) ( (open parenthesis) input = replace( input, "(", "" ) ; (semi-colon) input = replace( input, ";", "" ) -
    (dash) input = replace( input, "-", "" ) | (pipe) input = replace( input, "|", "" )
    On text input it is recommended to append quotes around the user supplied input.

    Detail Protocol http Port 80Read Timeout10000Method POST
    Path /shopping_cart.php
    Query action=update_product
    Headers
    Referer=http%3A%2F%2Fwww.testeddomain.com%3A80%2Fs hopping_cart.php
    Cookie=osCsid%cookiesessionidnumber
    Cookie=webmailrelogin%3Dno
    Content-Type=application%2Fx-www-form-urlencoded
    Body
    cart_delete[]=120
    cart_quantity[]=1
    products_id[]=x';",)`

    Links
    SQL Injection Prevention Cheat Sheet



    Sincerely,

  2. #2
    Dranoel
    Guest


    Default Re: Discussion: MySQL Security in OSCMAX

    How did this post not get any love? Or, has this topic been covered and I missed the TPS report?

    I would like to have any tips/software patches that could better protect our web site.

  3. #3
    red_fraggle
    Guest


    Default Re: Discussion: MySQL Security in OSCMAX

    good question, im not sure how its not been answered myself....

  4. #4
    osCMax Developer


    Discussion: MySQL Security in OSCMAX

    michael_s's Avatar
    Join Date
    Jul 2002
    Location
    Phoenix, AZ
    Posts
    22,983
    Total Contributions For

    michael_s     $ 10.00
    Rep Power
    592


    Default Re: Discussion: MySQL Security in OSCMAX

    I have several shops running osCMax and ALL are scanned and certified as PCI compliant by McAffee. I have no problems maintaining compliance so perhaps it is your scanning service?

    If you are concerned about alleviating any non-compliance that your scan service is hitting you with, there is a simple mod that adds wholesale input/output filtering across the board written by FWR media. It is in the addons.oscommerce.com site.

    Send me a method to reproduce the issue via pm and I will attempt to reproduce and track down the issue, but I have not had any actual reports of non-compliance from the two scanning services that I use to test osCMax daily.
    Michael Sasek

    osCmax 2.5.4 is now available via auto-installation using Softaculous!

    Stay Up To Date with everything osCMax:
    osCmax on Twitter - Up to the minute info as it happens. Know it first.

    osCmax Documentation

  5. #5
    red_fraggle
    Guest


    Default Re: Discussion: MySQL Security in OSCMAX

    Michael,

    Im not trying to call names or anything, really i love your cart, always have, and really am interested in making it the best possible cart out there.

    Try to also remember that we are a hosting company, and that we host hundreds upon hundreds of OSCMAX shops. Every customer we have, regardless of the server they are on, and regardless of the scan company used (scanalert or Mcaffee) has the same issues.

    OSCMAX appears to be vulnerable to Mysql disclosure vulnerabilities allowing the hacker to determine the version of Mysql in use, which also allows the insertion of arbitrary code.

    In an effort to fix this for our customers, we are willing to do anything we can to work with you. The servers the customers are on are certified PCI compliant already before they are ever put into production use, and therefore any failures are at an application layer.

    I will contact scanalert and Mcaffee and have them send me a specific test routine that can be used to duplicate the issue and perhaps we can solve this together.


    sincerely,

  6. #6
    osCMax Developer


    Discussion: MySQL Security in OSCMAX

    michael_s's Avatar
    Join Date
    Jul 2002
    Location
    Phoenix, AZ
    Posts
    22,983
    Total Contributions For

    michael_s     $ 10.00
    Rep Power
    592


    Default Re: Discussion: MySQL Security in OSCMAX

    Like I said, PM me the specific exploit (McAffee will usually provide you with a test in their admin interface in the issue report) and I will test/reproduce and patch if necessary.

    According to my daily Mcaffee scans, no such vulnerability exists in osCMax so I am at a loss as to what this could be, since my osCMax sites are all certified PCI compliant by McAffee.
    Michael Sasek

    osCmax 2.5.4 is now available via auto-installation using Softaculous!

    Stay Up To Date with everything osCMax:
    osCmax on Twitter - Up to the minute info as it happens. Know it first.

    osCmax Documentation

  7. #7
    Dranoel
    Guest


    Default Re: Discussion: MySQL Security in OSCMAX

    Not to add fuel to the fire, but found this article. It is a year old story. Check the video:
    McAfee 'Hacker Safe' cert sheds more cred ? The Register

    I went to their site hoping they had a free scanner for me to test, but no luck.

Similar Threads

  1. security issues with older version of oscmax?
    By earth-friendly in forum osCmax v2 Installation issues
    Replies: 23
    Last Post: 07-10-2009, 10:17 AM
  2. osCMax Security Update - XSS flaw patched
    By michael_s in forum Announcement Discussions
    Replies: 20
    Last Post: 03-31-2009, 12:45 PM
  3. oscmax 1.7 does not work in newer mysql ?
    By Yari_Gio in forum osCmax v1.7 Discussion
    Replies: 1
    Last Post: 01-19-2006, 07:34 PM
  4. Security Patch osCMax 2.0RC2
    By warrenthewindmill in forum osCmax v1.7 Discussion
    Replies: 2
    Last Post: 12-04-2005, 09:50 AM
  5. Security Patches for osCMax v1.7??
    By jpepper in forum osCmax v1.7 Discussion
    Replies: 2
    Last Post: 08-12-2005, 10:49 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •