SQL Injection Vulnerable?

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.
7 years ago
ClaudioCas wrote:
Dear A.m,
also our nopcommerce 2.70 was hacked.
We had the same issue of gfrick... all the nvarchar(max) fields of out database have append an html like that:

<div style="display:none">go <a href="http://www.crossbordercapital.com/blog/template/page/i-cheated-on-my-husband.aspx">how women cheat</a> all wife cheat</div><div style="display:none">wifes cheat <a href="http://www.fem-choice.com/femchoice/page/women-who-cheated.aspx">online</a> redirect</div>


Our sql server machine is behind firewall and cannot be acces from remote.
Not other site or database on the same server was hacked.
I don't kwow how to reproduce the issue, but the injection is the most likely hypothesis.

Claudio


Hello Claudio,
We do have a 3.0 Nop version with several customizations and I don't know how to call the intrusion (SQL Injection, XSRF or CSRF) but we frequently have our database injected with the same type of code you described above including the same format. The "injector" puts these lines on any field with nvarchar(MAX). So we have fields changed on 57.000 records on each attack. I started cleaning it manually because we would loose transactions between backups.  We are working on having this site updated but it will take a few weeks as there are lots of customizations and the source we have is corrupted and beyond rescue.
We also have a Nop 3.6 installed on another website and it is a clean install without any modifications. We do have the same issue with. So I don't know how the 3.6 Version is immune to these attacks.
Have you solved your problem? If so how?
We are currently using an application (Nopfix - http://www.nopfix.com) that does the cleaning automatically when there is an attack and it has been working fine for the past 3 months. Once there is an attack it immediately cleans and restores the database to what was prior of the attack.
We are tired of keeping tabs on our systems due to the attacks. Please let me know if you have fixed your issue.
0
7 years ago
pimba wrote:

Hello Claudio,
We do have a 3.0 Nop version with several customizations and I don't know how to call the intrusion (SQL Injection, XSRF or CSRF) but we frequently have our database injected with the same type of code you described above including the same format. The "injector" puts these lines on any field with nvarchar(MAX). So we have fields changed on 57.000 records on each attack. I started cleaning it manually because we would loose transactions between backups.  We are working on having this site updated but it will take a few weeks as there are lots of customizations and the source we have is corrupted and beyond rescue.
We also have a Nop 3.6 installed on another website and it is a clean install without any modifications. We do have the same issue with. So I don't know how the 3.6 Version is immune to these attacks.
Have you solved your problem? If so how?
We are currently using an application (Nopfix - http://www.nopfix.com) that does the cleaning automatically when there is an attack and it has been working fine for the past 3 months. Once there is an attack it immediately cleans and restores the database to what was prior of the attack.
We are tired of keeping tabs on our systems due to the attacks. Please let me know if you have fixed your issue.


Dear Pimba,
We had SQL Injection issue with an old version of nopcommerce (2.70). We dismiss that ecommerce and use a standatd website because the customer don't want it anymore and he preferred to have only a showcase site without sale.
We upgrade all other our ecommerce with the latest version and have no issue about sql injection.
-1
7 years ago
ClaudioCas wrote:
...We had SQL Injection issue with an old version of nopcommerce (2.70)....

nopCommerce versions 1.70 and above use Entity Framework (they are NOT vulnerable to SQL injection). If you had some injection issues, please provide a complete list of steps to reproduce it
Interested in the dedicated Premium support services provided by core developers? Please visit https://www.nopcommerce.com/nopcommerce-premium-support-services

Regards,
Andrei Mazulnitsyn
nopCommerce team
0
7 years ago
a.m. wrote:
...We had SQL Injection issue with an old version of nopcommerce (2.70)....
nopCommerce versions 1.70 and above use Entity Framework (they are NOT vulnerable to SQL injection). If you had some injection issues, please provide a complete list of steps to reproduce it

Hi Andrey,
thanks for your clarification. We had attack to our platform, probably not releated with SQL Injection, but on other vulnerability (XSRF / CSRF or security bug in code) on old version of nop commerce. We don't notice issue with latest version (3.60+).
0
7 years ago
silverferrum wrote:
I have the same problem at version 3.60. I did not change any templates or code.
LocaleStringResource table was broken with 
<div style="display:none">process of abortion <a href="http://longrangesystems.net/blog/template/page/how-to-naturally-terminate-a-pregnancy.aspx">longrangesystems.net</a> natural ways to terminate early pregnancy</div>


Site is http://elbaza.ru/ .. It is broken :( Where is problem? Parser of products is working more than 80 hours. There are more than 20000 products.. and i need to wipe db? Very sad.

UPD: Script for removing this crap
http://pastebin.com/7HC9ss4V


Hello,
I have the same problem with my 3.60 version. Did you find a solution? I have been able to continue working because I am using a solution that you don't need to wipe your database. It cleans the database fast and keeps all your records while your site still online. It is called Nopfix.
Please let me know if you have found a solution for your 3.60 version and if so, what have you done?
Like yours, my 3.60 version is original direct from the NopCommerce website. No changes and as far as I understood, Version 3.60 should be immune to CSRF OR XSRF attacks.
0
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.