Table of Contents
Securing version 2 stores
This document is intended for users of ProductCart version 2.x that cannot upgrade to version 3. If you can upgrade your store to ProductCart version 3, you should do so as the latest version of ProductCart is definitely a more secure product.
This document contains instructions on how to make the storefront more secure after a wave of automated SQL injection attacks in the spring of 2008 exposed some security issues in this version of ProductCart. The attacks are carried out automatically. The attacker finds files to attack similarly to how a search engine spider behaves (i.e. following links).
If you haven't already done so, before reading this page please review our Security Alert for information about what to do if you have been attacked, and how to undo the SQL injection.
What this page contains
We are providing two sets of information on this page:
- An updated file set: download the files here
- You can copy these files directly to your store if you are running version 2.76p or 2.76p2, without any add-on's
- You can use these files as a point of reference to synchronize files on your store
- Instructions on how to edit the code to secure it if you cannot simply copy the files above onto your store (e.g. the source code has been customized, you are not using version 2.76p, or you are using one or more add-on's).
If you need more information, please contact us by opening a support ticket.
Make sure to replace your version of the file pc/include-metatags.asp with the one enclosed in the download file mentioned above. Edit the new version of the file to replace the default meta tags with your own.
- You must take this step to secure your store using the rest of instructions/files mentioned on this page
- Make sure that header.asp is using this include-metatags.asp. The top of your header.asp file should look as follows:
<!--#include file="include-metatags.asp"--> <html> <head> <%if pcv_PageName<>"" then%> <TITLE><%=pcv_PageName%></TITLE> <%end if%> <%GenerateMetaTags()%> <%Response.Buffer=True%> <% Set conlayout=Server.CreateObject("ADODB.Connection") conlayout.Open scDSN Set RSlayout = conlayout.Execute("Select * From layout Where layout.ID=2") Set rsIconObj = conlayout.Execute("Select * From icons WHERE id=1") %>
If you are using the dynamic navigation menu, your header.asp file could be vulnerable. Edit it as follows.
pcv_checkPageCat=getUserInput(Request.QueryString("idcategory"),10) if not validNum2(pcv_checkPageCat) then pcv_checkPageCat="" end if pcv_checkPagePrd=getUserInput(Request.QueryString("idproduct"),10) if not validNum2(pcv_checkPagePrd) then pcv_checkPagePrd="" end if
Find and Replace tasks
Perform the following Find & Replace tasks on the “pc” folder. The Find & Replace utility that is built into Adobe Dreamweaver - for instance - allows you to easily perform a Find & Replace task on the source code of all files located within a folder. Select the “pc” folder of your ProductCart installation, then perform the tasks listed below.
Before performing these Find & Replace tasks, make sure that pc/include-metatags.asp has been replaced with the one mentioned above. This is absolutely necessary as the functions used in the code below are defined in this new version of the file.
pIdCategory=getUserInput2(request.querystring("idCategory"),10) if not validNum2(pIdCategory) then pIdCategory="" end if mIdCategory=pIdCategory
pIdProduct = request.QueryString("idProduct")
… and …
pIdProduct = getUserInput2(request.QueryString("idProduct"),10) if not validNum2(pIdProduct) then response.redirect "msg.asp?message="&Server.Urlencode(dictLanguage.Item(Session("language")&"_viewPrd_1") ) end if
ProdSort="" & request("prodsort")
ProdSort=getUserInput2(request("prodsort"),2) if not validNum2(ProdSort) then ProdSort="" end if
Add the include file “stringfunctions.asp” after the other include statements at the top.
<!--#include file="../includes/stringfunctions.asp" -->
pIdProduct=getUserInput(request.querystring("idProduct"),10) if not validNum(pIdProduct) then response.redirect "msg.asp?message="&Server.Urlencode(dictLanguage.Item(Session("language")&"_viewPrd_1") ) end if
If isNumeric(request.querystring("idCategory")) AND request.querystring("idCategory")<>"" then %> <tr> <td colspan="2"><font face="<%=FFType%>" color="<%=FColor%>" size="2"> <% dim pIdCategory, indexCategories, pUrlString, pIdCategory2 pIdCategory=request.querystring("idCategory") if pIdCategory<>"" then
pIdCategory=getUserInput(request.querystring("idCategory"),10) if validNum(pIdCategory) then %> <tr> <td colspan="2"><font face="<%=FFType%>" color="<%=FColor%>" size="2"> <% dim pIdCategory, indexCategories, pUrlString, pIdCategory2 if validNum(pIdCategory) then
For the following files, please use the version included in the ZIP at the top of this page.
If you have heavily modified your files, you should still be able to locate the security-related file changes through line-level file comparison. Look for the code where the getUserInput and validNum functions have been added.
Additional security at the database level
To prevent the kind of SQL injection performed in the attack that triggered this security alert, you can make some changes at the database levels. These changes affect certain permissions for the database user included in the database connection string used by ProductCart. Reduced permissions prevent the attack from being executed successfully. Read more.
As a temporary measure it is possible to use applications that sit in front of the ProductCart code to catch injection attacks prior to their execution against the database. These will normally be in the form of ISAPI filters, but could also include web appliances that sit on another server in front of the web server.
Also, if you have access (control) over the server that is hosting your Web site, you may want to consider installing the following URLScan Tool (DLL) from Microsoft.
Version 3 of URLScan is available from Microsoft under a GoLive license which means its technically a beta but is ok to use on production servers. By Applying a MaxQueryLength limitation within urlscan.ini you can limit many of SQL injection attack vectors. However version 3 brings the ability to add querystring matching. It is possible to match DECLARE or EXEC SQL statements for example and reject them before they access the ProductCart code.
With new vectors being attempted you can adjust the pattern matching to defeat the attack and allow yourself time to amend the vulnerable code.
A very useful starting point to using UrlScan can be found here
IIS 6 SQL Injection Sanitation ISAPI Wildcard
This ISAPI dll prevents SQL Injection attempts by intercepting the HTTP requests and sanitizing both GET and POST variables (or any combination of both) before the request reaches the intended code. This is especially useful for legacy applications not designed to deal with MS SQL Server Injection attempts. Though this application was designed with MS SQL Server in mind, it can be used with no or minimal changes with other database engines.
This ISAPI is only compatible with Internet Information Server (IIS) 6.0 which comes with Windows 2003. Windows XP uses IIS 5 engine which DOES NOT support ISAPI Wildcard.
This can be downloaded from here