Hi all, Nop commerce 3.2 we had a SQL Injection attach into the database, table Products. Any suggestion to prevent this? It is business critical.. Thanks in advance
Massimo
Please see replies above. nopCommerce is not vulnerable to SQL injection. If you think it's vulnerable, please provide a list of steps to reproduce the issue .
Please see replies above. nopCommerce is not vulnerable to SQL injection. If you think it's vulnerable, please provide a list of steps to reproduce the issue .
3. Change URL from above to http://admin-demo.nopcommerce.com/Admin/Order/List?paymentStatusId=10' or 1=1 --
Returns all 8 orders.
Therefore it most definitely IS vulnerable.
I couldn't find anything obvious on the front end, though I'm sure someone with a little more knowledge (and time) would more than likely find somewhere where things are left unchecked
Please see replies above. nopCommerce is not vulnerable to SQL injection. If you think it's vulnerable, please provide a list of steps to reproduce the issue .
3. Change URL from above to http://admin-demo.nopcommerce.com/Admin/Order/List?paymentStatusId=10' or 1=1 --
Returns all 8 orders.
Therefore it most definitely IS vulnerable.
I couldn't find anything obvious on the front end, though I'm sure someone with a little more knowledge (and time) would more than likely find somewhere where things are left unchecked
In our nop 1.9 store I just made some ajax textbox filters that disallowed characters like: <>;{}[]/|\ but in our new nop3.5 store I can enter them with no problem in a contact form and submit it.
Dear A.m, also our nopcommerce 2.70 was hacked. We had the same issue of gfrick... all the nvarchar(max) fields of out database have append an html like that:
<div style="display:none">go <a href="http://www.crossbordercapital.com/blog/template/page/i-cheated-on-my-husband.aspx">how women cheat</a> all wife cheat</div><div style="display:none">wifes cheat <a href="http://www.fem-choice.com/femchoice/page/women-who-cheated.aspx">online</a> redirect</div>
Our sql server machine is behind firewall and cannot be acces from remote. Not other site or database on the same server was hacked. I don't kwow how to reproduce the issue, but the injection is the most likely hypothesis.
It's definately not SQL injection attack because it's not possible as described below. But all versions prior 3.60 are vulnerable to XSRF attack. It could it. The only to fix it is to manually implement it (as per version 3.60) or simply upgrade to the latest version
Hi a.m., thanks a lot for your reply and for your explanation. We have many ecommerce with heavy customization of the code and template so is not possible now to upgrate them to the latest version. How I can prevent this type of attack in my nop commerce that are previous version 3.6? How I can "manually implement" the fix? Thanks a lot Claudio
Please go to our repository (https://nopcommerce.codeplex.com/SourceControl/list/changesets) , find all changesets with "XSRF" keyword in comment (there are a lot of pages) and manually implement the same. The main changeset is https://nopcommerce.codeplex.com/SourceControl/changeset/f798ea024d9fe0be332d63a720f92fdd23b85467. But it was implement for KendoUI (replacement of Telerik MVC Extensions). We moved to it from Telerik MVC Extensions in version 3.30. So you'll have to find a way to implement the same for Telerik MVC Extensions
I have the same problem at version 3.60. I did not change any templates or code. LocaleStringResource table was broken with
<div style="display:none">process of abortion <a href="http://longrangesystems.net/blog/template/page/how-to-naturally-terminate-a-pregnancy.aspx">longrangesystems.net</a> natural ways to terminate early pregnancy</div>
Site is http://elbaza.ru/ .. It is broken :( Where is problem? Parser of products is working more than 80 hours. There are more than 20000 products.. and i need to wipe db? Very sad.
UPD: Script for removing this crap http://pastebin.com/7HC9ss4V
my new nopCommerce store has been hacked and there is a ton of sql injection now. Where can I find the vulnerability?
I have worked with gFrick for that project and i know its not from nopCommerce its from other ASP site on that we have used same db for nopCommerce and that other ASP sites on which it cause the Sql Injection issue
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.
