VP-ASP :: Shopping Cart Software

Shopping Cart Software Solutions for anywhere in the World

US/Canada(Toll Free): +1 888 587 2278
Europe/UK: +44 (020) 7193 9408
Australia/New Zealand: +61 3 9016 4497

VP-ASP Shopping Cart Customer Forum

Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 VPCart Forum
 Problems and bugs
 Google getting into database & shows private detai
 New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

AussieBoy1958
Starting Member

Australia
16 Posts

Posted - February 12 2009 :  02:51:28  Show Profile  Reply with Quote
I'm using VPASP 4.5.
I installed it in 2003 and it's been running faultless. Back then I did some re-coding - mostly from suggestions from this forum.

In recent months, Google (and possibly others) have been showing our customers full order details - credit card # expiry, address and everything needed for fraud.

Ok, you will say "delete your orders". I agree, but this will mean monitoring 24/7, which the e-shop owner is not prepared to pay the wages for.

I haven't seen this problem in web searches, so I don't believe it to be a VPASP V4.5 coding problem, nor the more invasive Google trawling. Somewhere in our mdb database or my coding 6 years ago, I've set up a problem that suits modern searching seeking.

Clearly, I can't give away the website. But please look at the this picture, which shows as a product, but I can't find it in our VPASP cart.

Peculiar features are:
- No part number
- Price of $5-, as we have no product in our mdb costing $5-
- Quantity drop down. We have not enabled that facility.
- Words of "submit query", which is a link to nowhere.
- Description of "4". I cannot find any product in the cdesription field of "4"

Image can be found here:

http://imgcash3.imageshack.us/img9/7141/exampleofvpasp45problemfh2.th.jpg

Cheers and thanks in advance.


Australian Made by Mum, and proud of it :-)

support
Administrator

4266 Posts

Posted - February 12 2009 :  02:57:16  Show Profile  Visit support's Homepage  Reply with Quote
Hello there,

This is indeed a very strange issue.

If you can submit full details of this issue to our helpdesk at https://helpdesk.vpasp.com , our support member will assist you with this.

Thank you.

Regards,
Frank
VP-ASP Support
Go to Top of Page

AussieBoy1958
Starting Member

Australia
16 Posts

Posted - February 12 2009 :  23:02:38  Show Profile  Reply with Quote
Thanks Frank. I've done just that. I would have gone straight to support but thought that 6 years on since we bought V 3.5 we didn't have any left.

Glad I chose VPASP all those years back.

Australian Made by Mum, and proud of it :-)
Go to Top of Page

AussieBoy1958
Starting Member

Australia
16 Posts

Posted - February 13 2009 :  03:33:47  Show Profile  Reply with Quote
Have had a very quick response from the Support team. I'm appreciative.

Support has advised this is an SQL injection affecting us.

I've replied that we use an Microsoft Access MDB file and asked if the the same SQL query is compatible with an MDB database.

My simple knowledge is that SQL and MDB (2000) are different.

I've narrowed down our problem to, what seems, in a field in our Products table, where the subcategory is a set number of 58 - which we assigned to a group of parts for sale.

Whatever is happening, unprocessed orders are being converted to products in the field mentioned above, available on the internet. Whilst we have placed a Robots.txt file in our root directory to ask reputable crawlers to leave our cart alone, and have submitted to Google to remove caches of our customers details, we cannot stop the initial URL from showing unprocessed orders. VPASP Support's advice seems to show this is inevitable.

I just can't reconcile an SQL query being the same as a proprietry brand product of MS Access being prone to the same query. Spank me if I am wrong.

Excluding our specific URL for security reasons, this is the URL used.

http://www.anydomaininAustralia.com.au/Shopping/shopdisplayproducts.asp?id=58%20union%20select%201%20,2,ocardtype%2B%27/%27%2Bocardno...............

I would shut down the shopping cart if I had the ownership. I don't have that permission. Also, I don't want to spend hundred multiples of hours upgrading and modifying code once again to our needs. The money is good, but my family is better value.

Our needs do not stem from VPASP as the Chief. We have a hierarchy of a separate MDB file, where information is gathered, then dispersed, via bridges I have built, to be bulk imported into VPASP, MYOB and HTML price lists.

I'm hoping that someone has had similar problems and, given I think I've narrowed it down to a field in our Products table may be able to help. Crikes, I've noticed that the table is capitalised, where all other table are lower-case. Agggh.

Regards
Aussie



Australian Made by Mum, and proud of it :-)
Go to Top of Page

THeVerve
VP-ASP New User

117 Posts

Posted - February 13 2009 :  03:43:43  Show Profile  Reply with Quote
From the URL you posted above, that's 100% SQL injection. Using MS Access does not make you immune to SQL injection. Sql injection can happen on mysql,access,sql server, etc etc etc etc.
Go to Top of Page

madbug
VP-ASP New User

130 Posts

Posted - February 13 2009 :  03:50:36  Show Profile  Reply with Quote

Yes is definitely a SQL injection issue.

Go to Top of Page

AussieBoy1958
Starting Member

Australia
16 Posts

Posted - February 13 2009 :  04:05:40  Show Profile  Reply with Quote
Thanks Verve:
You said..."Using MS Access does not make you immune to SQL injection. Sql injection can happen on mysql,access,sql server, etc etc etc etc."

I need more agreeance that an SQL injection affects the databases you said. And why does hasn't this problem appeared before in the 000's of VPASP 4.5 using a MS Access 2000 mdb?

I need something conclusive to say it is a fault with our manipulation of the original mdb or asp coding, or that affects all VPASP 4.5 products using an Access mdb file?

Appreciative of any help, for this great product that has served me well for 6 years, until now.

Aussie



Australian Made by Mum, and proud of it :-)
Go to Top of Page

THeVerve
VP-ASP New User

117 Posts

Posted - February 13 2009 :  04:17:01  Show Profile  Reply with Quote
You don't have this problem before probably because the hacker had not found your site. It's just a matter of time before someone found a site, scan for vulnerabilities with their hacking script and exploit it.

I would say sql injection can happen on old or unpatched version of the shopping cart. I just noticed from your first post you are using 4.50. This is probably the reason why the attack works on your site since 4.50 is quite old and probably has a lot of security problem. Is 4.50 still supported by vpasp even ?

I manage several 6.50 sites and have yet to hear of any sql injection attack on any of them.
Go to Top of Page

devshb
Senior Member

United Kingdom
1898 Posts

Posted - February 13 2009 :  05:54:28  Show Profile  Visit devshb's Homepage  Reply with Quote
Take a look at the "resources" links from our sister site, which explains the various types of injection/infection in detail:

http://www.sqlinjectionscanner.com/

Then grab the free scanner (download free version), which is an asp-based sql injection data checker (ie it checks for possible xss/injected values in your data) and which works on all types of databases - you'll get redirected automatically to our other sister site, bigyellowkey.com to grab/download the actual software.

As per the postings above, access isn't immune to injections/attacks, but generally hackers don't bother to attack access sites as much as sqlserver. Note that because of xss attacks, hackers can still manage to do things like adding keylogger installations to people's pcs when attacking access sites (I don't want to explain how for obvious reasons, but be assured that hackers can quite easily use indirect methods to inject/infect access sites)

If you want to take your site down, take a look at:
http://www.sqlinjectionscanner.com/asp_site_suspender.html

It stops anyone else from being able to open any of your vpasp files with the flip of a switch, but it also uses a pwd override so that you can still access anything.

Also, bear in mind that if the hacker can physically update a product value in the database (directly or indirectly) via a loophole in the code, that means that they can do absolutely anything they want to anything in the database, including changing config values (which hackers often do), or doing various other things so they can see everyone else's order details. By using different combinations of hacks they can, in the end, get everyone's card details and orders.

So I guess my advice if you see a genuine hack (ie a data value has been physically changed by a hacker), then that'd be much more serious than just an xss attack as it's direct injection (usually), and if that happens I'd shut the site down until the loophole's fixed.

Grab/run the free scanner, but also check your config values; if any of your config values have been changed then alarm bells should be ringing in the site owner's mind and it's time to shut the site down before anything else happens.

Simon Barnaby
Developer
[email protected]
www.BigYellowZone.com
Web Design, Online Marketing and VPASP addons

Edited by - devshb on February 13 2009 06:21:08
Go to Top of Page

AussieBoy1958
Starting Member

Australia
16 Posts

Posted - February 14 2009 :  00:40:39  Show Profile  Reply with Quote
I've had good yak with the owner and we will be upgrading to 6.5. RIP a 6 year 3000 product cart that worked perfectly.

I've absorbed all that has been written. I'm very appreciative. It was what you blokes had written, along with VPASP support's words, that when read to the owner, convinced him to upgrade.

Now to play with that sqlinjection scanner.

AussieBoy1958


Australian Made by Mum, and proud of it :-)
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
Snitz Forums 2000