SQL injection vulnerability

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.

Total Posts: 64
Karma: 410
Joined: 4/27/2009
Location: Australia

Posted: 8 years ago

Just thought I'd create an issue in the Bugs section after replying to this thread.

Here's my 2 minute attempt at SQL Injecting Nop.

1. Log in to admin console.
2. View all orders

http://admin-demo.nopcommerce.com/Admin/Order/List?paymentStatusId=10

Returns 6 orders

3. Change URL from above to http://admin-demo.nopcommerce.com/Admin/Order/List?paymentStatusId=10' or 1=1 --

Returns all 8 orders.

Therefore it most definitely IS vulnerable.

I couldn't find anything obvious on the front end, though I'm sure someone with a little more knowledge (and time) would more than likely find somewhere where things are left unchecked

a.m.

Team Member

Total Posts: 16622
Karma: 155965
Joined: 10/22/2008
Location: Armenia

Posted: 8 years ago

There's no any issue. Entity Framework is NOT vulnerable to SQL injection. Browser simply passed "10%27%20or%201=1" instead of "10" for "paymentStatusId" query parameter. Its type is "int" and it cannot be parsed. Hence, it's simply ignored. That's why all orders are loaded.

P.S. Please do not duplicate posts

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.

Still have questions or need help?

. Premium support services . Get dedicated support from the nopCommerce team with a guaranteed response within 24 hours.

. Online course for developers . Get the practical and technical skills you need to run and customize nopCommerce websites.