| Author |
 Topic  |
|
|
AussieBoy1958
Starting Member
Australia
16 Posts |
 Posted - February 12 2009 : 02:51:28
|
I'm using VPASP 4.5.
I installed it in 2003 and it's been running faultless. Back then I did some re-coding - mostly from suggestions from this forum.
In recent months, Google (and possibly others) have been showing our customers full order details - credit card # expiry, address and everything needed for fraud.
Ok, you will say "delete your orders". I agree, but this will mean monitoring 24/7, which the e-shop owner is not prepared to pay the wages for.
I haven't seen this problem in web searches, so I don't believe it to be a VPASP V4.5 coding problem, nor the more invasive Google trawling. Somewhere in our mdb database or my coding 6 years ago, I've set up a problem that suits modern searching seeking.
Clearly, I can't give away the website. But please look at the this picture, which shows as a product, but I can't find it in our VPASP cart.
Peculiar features are:
- No part number
- Price of $5-, as we have no product in our mdb costing $5-
- Quantity drop down. We have not enabled that facility.
- Words of "submit query", which is a link to nowhere.
- Description of "4". I cannot find any product in the cdesription field of "4"
Image can be found here:
http://imgcash3.imageshack.us/img9/7141/exampleofvpasp45problemfh2.th.jpg
Cheers and thanks in advance.
Australian Made by Mum, and proud of it :-) |
|
|
support
Administrator
4679 Posts |
Posted - February 12 2009 : 02:57:16
|
Hello there,
This is indeed a very strange issue.
If you can submit full details of this issue to our helpdesk at https://helpdesk.vpasp.com , our support member will assist you with this.
Thank you.
Regards,
Frank
VP-ASP Support |
 |
|
|
AussieBoy1958
Starting Member
Australia
16 Posts |
Posted - February 12 2009 : 23:02:38
|
Thanks Frank. I've done just that. I would have gone straight to support but thought that 6 years on since we bought V 3.5 we didn't have any left.
Glad I chose VPASP all those years back.
Australian Made by Mum, and proud of it :-) |
|
|
|
AussieBoy1958
Starting Member
Australia
16 Posts |
Posted - February 13 2009 : 03:33:47
|
Have had a very quick response from the Support team. I'm appreciative.
Support has advised this is an SQL injection affecting us.
I've replied that we use an Microsoft Access MDB file and asked if the the same SQL query is compatible with an MDB database.
My simple knowledge is that SQL and MDB (2000) are different.
I've narrowed down our problem to, what seems, in a field in our Products table, where the subcategory is a set number of 58 - which we assigned to a group of parts for sale.
Whatever is happening, unprocessed orders are being converted to products in the field mentioned above, available on the internet. Whilst we have placed a Robots.txt file in our root directory to ask reputable crawlers to leave our cart alone, and have submitted to Google to remove caches of our customers details, we cannot stop the initial URL from showing unprocessed orders. VPASP Support's advice seems to show this is inevitable.
I just can't reconcile an SQL query being the same as a proprietry brand product of MS Access being prone to the same query. Spank me if I am wrong.
Excluding our specific URL for security reasons, this is the URL used.
http://www.anydomaininAustralia.com.au/Shopping/shopdisplayproducts.asp?id=58%20union%20select%201%20,2,ocardtype%2B%27/%27%2Bocardno...............
I would shut down the shopping cart if I had the ownership. I don't have that permission. Also, I don't want to spend hundred multiples of hours upgrading and modifying code once again to our needs. The money is good, but my family is better value.
Our needs do not stem from VPASP as the Chief. We have a hierarchy of a separate MDB file, where information is gathered, then dispersed, via bridges I have built, to be bulk imported into VPASP, MYOB and HTML price lists.
I'm hoping that someone has had similar problems and, given I think I've narrowed it down to a field in our Products table may be able to help. Crikes, I've noticed that the table is capitalised, where all other table are lower-case. Agggh.
Regards
Aussie
Australian Made by Mum, and proud of it :-) |
|
|
|
THeVerve
VP-CART New User
117 Posts |
Posted - February 13 2009 : 03:43:43
|
| From the URL you posted above, that's 100% SQL injection. Using MS Access does not make you immune to SQL injection. Sql injection can happen on mysql,access,sql server, etc etc etc etc. |
|
|
|
madbug
VP-CART New User
130 Posts |
Posted - February 13 2009 : 03:50:36
|
Yes is definitely a SQL injection issue.
|
|
|
|
AussieBoy1958
Starting Member
Australia
16 Posts |
Posted - February 13 2009 : 04:05:40
|
Thanks Verve:
You said..."Using MS Access does not make you immune to SQL injection. Sql injection can happen on mysql,access,sql server, etc etc etc etc."
I need more agreeance that an SQL injection affects the databases you said. And why does hasn't this problem appeared before in the 000's of VPASP 4.5 using a MS Access 2000 mdb?
I need something conclusive to say it is a fault with our manipulation of the original mdb or asp coding, or that affects all VPASP 4.5 products using an Access mdb file?
Appreciative of any help, for this great product that has served me well for 6 years, until now.
Aussie
Australian Made by Mum, and proud of it :-) |
|
|
|
THeVerve
VP-CART New User
117 Posts |
Posted - February 13 2009 : 04:17:01
|
You don't have this problem before probably because the hacker had not found your site. It's just a matter of time before someone found a site, scan for vulnerabilities with their hacking script and exploit it.
I would say sql injection can happen on old or unpatched version of the shopping cart. I just noticed from your first post you are using 4.50. This is probably the reason why the attack works on your site since 4.50 is quite old and probably has a lot of security problem. Is 4.50 still supported by vpasp even ?
I manage several 6.50 sites and have yet to hear of any sql injection attack on any of them.
|
|
|
|
devshb
Senior Member
United Kingdom
1904 Posts |
Posted - February 13 2009 : 05:54:28
|
Take a look at the "resources" links from our sister site, which explains the various types of injection/infection in detail:
http://www.sqlinjectionscanner.com/
Then grab the free scanner (download free version), which is an asp-based sql injection data checker (ie it checks for possible xss/injected values in your data) and which works on all types of databases - you'll get redirected automatically to our other sister site, bigyellowkey.com to grab/download the actual software.
As per the postings above, access isn't immune to injections/attacks, but generally hackers don't bother to attack access sites as much as sqlserver. Note that because of xss attacks, hackers can still manage to do things like adding keylogger installations to people's pcs when attacking access sites (I don't want to explain how for obvious reasons, but be assured that hackers can quite easily use indirect methods to inject/infect access sites)
If you want to take your site down, take a look at:
http://www.sqlinjectionscanner.com/asp_site_suspender.html
It stops anyone else from being able to open any of your vpasp files with the flip of a switch, but it also uses a pwd override so that you can still access anything.
Also, bear in mind that if the hacker can physically update a product value in the database (directly or indirectly) via a loophole in the code, that means that they can do absolutely anything they want to anything in the database, including changing config values (which hackers often do), or doing various other things so they can see everyone else's order details. By using different combinations of hacks they can, in the end, get everyone's card details and orders.
So I guess my advice if you see a genuine hack (ie a data value has been physically changed by a hacker), then that'd be much more serious than just an xss attack as it's direct injection (usually), and if that happens I'd shut the site down until the loophole's fixed.
Grab/run the free scanner, but also check your config values; if any of your config values have been changed then alarm bells should be ringing in the site owner's mind and it's time to shut the site down before anything else happens.
Simon Barnaby
Developer
[email protected]
www.BigYellowZone.com
Web Design, Online Marketing and VPASP addons |
Edited by - devshb on February 13 2009 06:21:08 |
|
|
|
AussieBoy1958
Starting Member
Australia
16 Posts |
Posted - February 14 2009 : 00:40:39
|
I've had good yak with the owner and we will be upgrading to 6.5. RIP a 6 year 3000 product cart that worked perfectly.
I've absorbed all that has been written. I'm very appreciative. It was what you blokes had written, along with VPASP support's words, that when read to the owner, convinced him to upgrade.
Now to play with that sqlinjection scanner.
AussieBoy1958
Australian Made by Mum, and proud of it :-) |
|
|
| |
Topic |
|
All Forums
Google getting into database & shows private detai
New Topic
Printer Friendly
TrustGuard - PCI Security Scanner
