Update on Security Alert - SQL Injection Attacks - 05.21.08
Updated on 07.06.08

We found and fixed a few vulnerabilities that might have been exploited for the SQL injection attacks described yesterday.

• ProductCart v3.x: Download the updated files >>
  See the included README file to pick the right folder for your store
• ProductCart v2.x: Read this document >>

• NEW - Change permissions for the database user
  You can prevent the attack from being successfully executed at the database level, even if vulnerable code exists. Vulnerable code this needs to be addressed, but this fix will prevent this particular type of SQL injection from being successfully executed.
• Stores running ProductCart version 3.11 and above
  Apply the fix mentioned above immediately.
• Stores running ProductCart version 3.x, but before 3.11
  Apply the fix mentioned above immediately, except for the file "pc/paypalOrdConfirm.asp". Do not upload that file, but rather pick the right version for your store from the following, separate download:
  PayPalOrdConfirm_Patches_052108.zip
  
  If possible, update to the latest version of ProductCart (version 3.11). If not, download and apply all security patches posted for version 3.x (see version 3.x updates).
• Stores running ProductCart version 2.7x
  Read this document for details on how to secure your store.
  Although this might help address this specific SQL injection attack, we still recommend that you upgrade to the latest version of ProductCart, which is a more secure system. Providing a comprehensive patch would require updating hundreds of files, so it would not help stores that have customized the source code.
• ALL STORES
  Make sure that your MS SQL database is regularly backed up so that if there is a problem, you can restore a previous instance. Some hosting companies offer more frequent back-ups for a small fee.
• Stores using MS Access
  The SQL injection carried out in this attack does not affect MS Access databases, according to our research. Still, you should apply the patches mentioned above and back-up your database regularly by downloading the file via FTP.

If your store is hacked (JavaScript code added to fields such as product names and descriptions), follow these steps

• Turn off the store
• Clean up the database by either:
• Restoring a back-up copy
• Running a query symmetrical to the offending query (download the SQL query here). Load the query in MS SQL query analyzer and run it multiple times until it says that "0 rows were affected". Our experience has shown that in cases the query needed to be run up to a dozen times consecutively to be effective. Ask your Web master to do this for you, or open a support ticket with Early Impact. Note that this method might not be 100% effective.
• NEW - Change permissions for the database user
  You can prevent the attack from being successfully executed at the database level by implementing these permissions changes.
• Make sure that you have installed the updated files above (and any other files that might be released related to this Security Alert).
• Re-open the store

• Change permissions for the database user
  You can prevent the attack from being successfully executed at the database level by implementing these permissions changes.
• Address vulnerable source code
  If you added custom code to your store, please ensure that you are properly validating any strings after you "request" them. You can find an article on Validating Strings in ProductCart on the ProductCart WIKI. And here you can download the latest version of "includes/stringfunctions.asp".
• Consider using a service such as HackerSafe or HackerGuardian to automatically scan your Web site for possible vulnerabilities.
• If you decide to update/upgrade and synchronize the code, there are some useful tips here.
• If you are using version 2.x and you have customized the store heavily, do a file comparison with the files mentioned in this article.

We are still looking everywhere for ANY other possible security issue. We will continue keeping you updated and certainly apologize for any inconvenience that this has created for you and your company.

The Early Impact Team