Discussion: MySQL Security in OSCMAX

[red_fraggle]

We might as well start a discussion on several security related issues as they pertain to OSCMAX and MySQL.

We all know that OSCMAX is not PCI compliant since MySQL injection is possible with this application due to form data not being properly sanitized before any query is run to the database. This enables arbitrary injection of MySQL queries by hackers.

Specifically OSCMAX appears to be vulnerable to the standard database error disclosure vulnerability which allows an attacker to output database specific errors in the applicaiton which will give them the database version in use, and further allow them to inject database syntax that would allow them to extract data.

The single best fix for this is to change the database queries in OSCMAX to use parameterized queries, or stored procedures. Or at the least to escape all user supplied input. All three of these methods would affectively prevent MySQL injection attacks on OSCMAX as an application and, at least for the "escaping user supplied input", is relatively easy to implement.

There is a database encoder specifically written for MySQL (MySQL CODEC) being maintained by the ESAPI project, you can find info about it here,Category:OWASP Enterprise Security API - OWASP and it is part of the OWASP Interprise Security API. It is simple to implement as it requires a small change to the form quries in OSCMAX.

I would really like to know what you Michael think about this isue, what plans are being devised to tighten security in OSCMAX, and if you think the ESAPI route to correcting this issue?

As it stands now OSCMAX cannot be certified PCI compliant due to these issues.




For reference:

MySQL Database Error Disclosure Vulnerability
Port First Detected Category
80 19-JUN-2009 09:46 Database
Protocol Fix Difficulty Impact
Other Medium SQL Injection
Description
During our analysis of your web application, we were able to intentionally generate database specific errors. By causing a system to output errors such as these, it is often possible to determine the database version and inject database command syntax that would allow us to extract data. The information gathered from the specific error responses generated using various input validation techniques by the web application scanner has determined the remote host may be running a MySQL database.

Confidential - McAfee Security Audit Report Page 8
The extent of the damage that can be caused by this vulnerability varies greatly depending on environment and configuration. While input validation via webapp may cause a database to generate an error, the database configuration will also play an important role in determining how much it can be altered. A remote attacker may be able to gain access to very sensitive information, or gain administrative access.

This is not an exhaustive test and has not identified all of the forms and variables that may be affected by this vulnerability.

CVSS 5.0

Solution
THE SINGLE BEST WAY TO FIX THIS VULNERABILITY IS TO IDENTIFY THE ACCEPTABLE INPUT FOR EACH FORM PARAMETER AND REJECT INPUT THAT DOES NOT MEET THAT CRITERIA.

The following is an acceptable solution however it is not optimal.
Implement content parsing on data input fields including URL parameters.
Remove the following characters from any user or dynamic database input: (examples in VBScript)
' (escape the single quote) input = replace( input, "'", "''" ) " (double quote) input = replace( input, """", "" ) ) (close parenthesis)
input = replace( input, ")", "" ) ( (open parenthesis) input = replace( input, "(", "" ) ; (semi-colon) input = replace( input, ";", "" ) -
(dash) input = replace( input, "-", "" ) | (pipe) input = replace( input, "|", "" )
On text input it is recommended to append quotes around the user supplied input.

Detail Protocol http Port 80Read Timeout10000Method POST
Path /shopping_cart.php
Query action=update_product
Headers
Referer=http%3A%2F%2Fwww.testeddomain.com%3A80%2Fs hopping_cart.php
Cookie=osCsid%cookiesessionidnumber
Cookie=webmailrelogin%3Dno
Content-Type=application%2Fx-www-form-urlencoded
Body
cart_delete[]=120
cart_quantity[]=1
products_id[]=x';",)`

Links
SQL Injection Prevention Cheat Sheet



Sincerely,

[Dranoel]

How did this post not get any love? Or, has this topic been covered and I missed the TPS report?

I would like to have any tips/software patches that could better protect our web site.

[red_fraggle]

good question, im not sure how its not been answered myself....

[michael_s]

I have several shops running osCMax and ALL are scanned and certified as PCI compliant by McAffee. I have no problems maintaining compliance so perhaps it is your scanning service?

If you are concerned about alleviating any non-compliance that your scan service is hitting you with, there is a simple mod that adds wholesale input/output filtering across the board written by FWR media. It is in the addons.oscommerce.com site.

Send me a method to reproduce the issue via pm and I will attempt to reproduce and track down the issue, but I have not had any actual reports of non-compliance from the two scanning services that I use to test osCMax daily.

[red_fraggle]

Michael,

Im not trying to call names or anything, really i love your cart, always have, and really am interested in making it the best possible cart out there.

Try to also remember that we are a hosting company, and that we host hundreds upon hundreds of OSCMAX shops. Every customer we have, regardless of the server they are on, and regardless of the scan company used (scanalert or Mcaffee) has the same issues.

OSCMAX appears to be vulnerable to Mysql disclosure vulnerabilities allowing the hacker to determine the version of Mysql in use, which also allows the insertion of arbitrary code.

In an effort to fix this for our customers, we are willing to do anything we can to work with you. The servers the customers are on are certified PCI compliant already before they are ever put into production use, and therefore any failures are at an application layer.

I will contact scanalert and Mcaffee and have them send me a specific test routine that can be used to duplicate the issue and perhaps we can solve this together.


sincerely,

[michael_s]

Like I said, PM me the specific exploit (McAffee will usually provide you with a test in their admin interface in the issue report) and I will test/reproduce and patch if necessary.

According to my daily Mcaffee scans, no such vulnerability exists in osCMax so I am at a loss as to what this could be, since my osCMax sites are all certified PCI compliant by McAffee.

[Dranoel]

Not to add fuel to the fire, but found this article. It is a year old story. Check the video:
McAfee 'Hacker Safe' cert sheds more cred ? The Register

I went to their site hoping they had a free scanner for me to test, but no luck.