FreznoShop Vulnerability Details Date: May 13, 2005 Mike Shema Versions of FreznoShop (http://www.freznoshop.de/) below 1.4.1 are vulnerable to SQL injection due to the use of unvalidated parameters in database queries. Some unpatched versions of 1.4.1 are vulnerable as well. The value of the 'id' parameter is passed directly to the SQL query function. No validation of content or filtering of malicious characters is performed. Database error messages are suppressed such that they will not reach the web browser, but this does not prevent arbitrary queries from being constructed. The following URL demonstrates a value for 'id' that displays a user's username and password in the HTML response: http://site/freznoshop/product_details.php?id=1+UNION+SELECT+1,u_password,u_name,1,1,1,1,1,1,1,1,1+FROM+fs_users+LIMIT+1,1 The specific problem lies in the product_details.php and libclasses/lib.shop.php files. product_details.php, c. line 63 ------------------------------- ... $prod = loadProduct($HTTP_GET_VARS['id']); ... ------------------------------- libclasses/lib.shop.php, c. line 83 ----------------------------------- ... function loadProduct($id) { $table1 = DB_PREFIX .'products p'; $table2 = DB_PREFIX .'products_categories pc'; $sql = db_query("SELECT p.p_id, p.p_item_nr, p.p_name, p.p_desc, p.p_desc_long, p.p_image, p.p_price, p.p_show_img, p.p_sp_price, p.p_has_special, p.p_has_style, pc.category_id FROM $table1, $table2 WHERE p.p_id = pc.product_id AND p.p_id = $id "); ... ----------------------------------- Users of this application should download the latest version of FreznoShop, which implements an is_numeric() check of the $id parameter in the product_details.php file to prevent this particular attack.