Announcement:Materials and articles for ProductCart 5 can be found at our brand new support center.

Create an account to edit articles | See Formatting Syntax for Wiki syntax | We look forward to your contribution!

Securing version 2 stores

Overview

This document is intended for users of ProductCart version 2.x that cannot upgrade to version 3. If you can upgrade your store to ProductCart version 3, you should do so as the latest version of ProductCart is definitely a more secure product.

This document contains instructions on how to make the storefront more secure after a wave of automated SQL injection attacks in the spring of 2008 exposed some security issues in this version of ProductCart. The attacks are carried out automatically. The attacker finds files to attack similarly to how a search engine spider behaves (i.e. following links).

If you haven't already done so, before reading this page please review our Security Alert for information about what to do if you have been attacked, and how to undo the SQL injection.

What this page contains

We are providing two sets of information on this page:

  1. An updated file set: download the files here
    1. You can copy these files directly to your store if you are running version 2.76p or 2.76p2, without any add-on's
    2. You can use these files as a point of reference to synchronize files on your store
  2. Instructions on how to edit the code to secure it if you cannot simply copy the files above onto your store (e.g. the source code has been customized, you are not using version 2.76p, or you are using one or more add-on's).

If you need more information, please contact us by opening a support ticket.

You must replace include-metatags.asp as described below regardless of whether you manually update the other files or simply copy the updated files to your store.

Replace include-metatags.asp

Make sure to replace your version of the file pc/include-metatags.asp with the one enclosed in the download file mentioned above. Edit the new version of the file to replace the default meta tags with your own.

  • You must take this step to secure your store using the rest of instructions/files mentioned on this page
  • Make sure that header.asp is using this include-metatags.asp. The top of your header.asp file should look as follows:
<!--#include file="include-metatags.asp"-->
<html>
<head>
<%if pcv_PageName<>"" then%>
<TITLE><%=pcv_PageName%></TITLE>
<%end if%>
<%GenerateMetaTags()%>
<%Response.Buffer=True%> 
<%
Set conlayout=Server.CreateObject("ADODB.Connection")
conlayout.Open scDSN  

Set RSlayout = conlayout.Execute("Select * From layout Where layout.ID=2")
Set rsIconObj = conlayout.Execute("Select * From icons WHERE id=1")
%>

Technical note: the function validNum2 is defined in this file. This is a copy of validNum defined in stringFunctions.asp. The function is defined twice (with different names) because in version 2.x not all files included stringFunctions.asp. The same is true for the getUserInput2 function. The edited code uses one function or the other depending on which one is known to be defined within that file.

Edit Header.asp

If you are using the dynamic navigation menu, your header.asp file could be vulnerable. Edit it as follows.

Replace:

pcv_checkPageCat=Request.QueryString("idcategory")
pcv_checkPagePrd=Request.QueryString("idproduct")

… with:

pcv_checkPageCat=getUserInput(Request.QueryString("idcategory"),10)
 if not validNum2(pcv_checkPageCat) then
  pcv_checkPageCat=""
 end if

pcv_checkPagePrd=getUserInput(Request.QueryString("idproduct"),10)
 if not validNum2(pcv_checkPagePrd) then
  pcv_checkPagePrd=""
 end if

Find and Replace tasks

Perform the following Find & Replace tasks on the “pc” folder. The Find & Replace utility that is built into Adobe Dreamweaver - for instance - allows you to easily perform a Find & Replace task on the source code of all files located within a folder. Select the “pc” folder of your ProductCart installation, then perform the tasks listed below.

Before performing these Find & Replace tasks, make sure that pc/include-metatags.asp has been replaced with the one mentioned above. This is absolutely necessary as the functions used in the code below are defined in this new version of the file.

Category ID

Replace:

pIdCategory=server.HTMLEncode(request.querystring("idCategory"))
mIdCategory=server.HTMLEncode(request.querystring("idCategory"))

… with:

pIdCategory=getUserInput2(request.querystring("idCategory"),10)
if not validNum2(pIdCategory) then
 pIdCategory=""
end if
mIdCategory=pIdCategory

Product ID

Replace:

pIdProduct = request.QueryString("idProduct")

… and …

pIdProduct=request.QueryString("idProduct")

… with:

pIdProduct = getUserInput2(request.QueryString("idProduct"),10)
if not validNum2(pIdProduct) then
   response.redirect "msg.asp?message="&Server.Urlencode(dictLanguage.Item(Session("language")&"_viewPrd_1") ) 
end if

prodsort

Replace:

ProdSort="" & request("prodsort")

… with:

ProdSort=getUserInput2(request("prodsort"),2)
 if not validNum2(ProdSort) then
  ProdSort=""
 end if

Other files

custwl.asp, pricebreak.asp

Add the include file “stringfunctions.asp” after the other include statements at the top.

<!--#include file="../includes/stringfunctions.asp" -->

Then replace:

pIdProduct=request.querystring("idProduct")

… with:

pIdProduct=getUserInput(request.querystring("idProduct"),10)
 if not validNum(pIdProduct) then
   response.redirect "msg.asp?message="&Server.Urlencode(dictLanguage.Item(Session("language")&"_viewPrd_1") ) 
 end if

viewPrd.asp

Replace:

If isNumeric(request.querystring("idCategory")) AND request.querystring("idCategory")<>"" then %>
	<tr> 
		<td colspan="2"><font face="<%=FFType%>"  color="<%=FColor%>" size="2">
		<% dim pIdCategory, indexCategories, pUrlString, pIdCategory2
		pIdCategory=request.querystring("idCategory")
		if pIdCategory<>"" then

… with:

pIdCategory=getUserInput(request.querystring("idCategory"),10)
if validNum(pIdCategory) then %>
	<tr> 
		<td colspan="2"><font face="<%=FFType%>"  color="<%=FColor%>" size="2">
		<% dim pIdCategory, indexCategories, pUrlString, pIdCategory2
		if validNum(pIdCategory) then

Other files

For the following files, please use the version included in the ZIP at the top of this page.

  • advSearch_h.asp
  • advSearch_i.asp
  • advSearch_l.asp
  • advSearch_m.asp
  • advSearch_p.asp
  • prv_allreviews.asp
  • prv_increviews.asp
  • showChargesInfo.asp
  • showinfo.asp
  • tellafriendthanks.asp

If you have heavily modified your files, you should still be able to locate the security-related file changes through line-level file comparison. Look for the code where the getUserInput and validNum functions have been added.

Additional security at the database level

To prevent the kind of SQL injection performed in the attack that triggered this security alert, you can make some changes at the database levels. These changes affect certain permissions for the database user included in the database connection string used by ProductCart. Reduced permissions prevent the attack from being executed successfully. Read more.

Pre-filtering requests

As a temporary measure it is possible to use applications that sit in front of the ProductCart code to catch injection attacks prior to their execution against the database. These will normally be in the form of ISAPI filters, but could also include web appliances that sit on another server in front of the web server.

URLScan

Also, if you have access (control) over the server that is hosting your Web site, you may want to consider installing the following URLScan Tool (DLL) from Microsoft.

http://technet.microsoft.com/en-us/security/cc242650.aspx

Version 3 of URLScan is available from Microsoft under a GoLive license which means its technically a beta but is ok to use on production servers. By Applying a MaxQueryLength limitation within urlscan.ini you can limit many of SQL injection attack vectors. However version 3 brings the ability to add querystring matching. It is possible to match DECLARE or EXEC SQL statements for example and reject them before they access the ProductCart code.

With new vectors being attempted you can adjust the pattern matching to defeat the attack and allow yourself time to amend the vulnerable code.

Version 3 can be found here:x86 Version and x64 version

A very useful starting point to using UrlScan can be found here

IIS 6 SQL Injection Sanitation ISAPI Wildcard

This ISAPI dll prevents SQL Injection attempts by intercepting the HTTP requests and sanitizing both GET and POST variables (or any combination of both) before the request reaches the intended code. This is especially useful for legacy applications not designed to deal with MS SQL Server Injection attempts. Though this application was designed with MS SQL Server in mind, it can be used with no or minimal changes with other database engines.

This ISAPI is only compatible with Internet Information Server (IIS) 6.0 which comes with Windows 2003. Windows XP uses IIS 5 engine which DOES NOT support ISAPI Wildcard.

This can be downloaded from here


QR Code
QR Code Securing version 2 stores (generated for current page)