BAD BUG: Input sterilization - SmithCart

Item		Qty	Total
	{{cartItem.ProductName}} SKU: {{cartItem.ProductSku}}	{{cartItem.Quantity \| number : 2}} x {{cartItem.UnitCost \| currency : '$' : 2}}	{{cartItem.UnitCost * cartItem.Quantity \| currency : '$' : 2}}
{{itemVariant.VariantHasText ? (itemVariant.VariantName + ': ' + itemVariant.VariantText) : (itemVariant.VariantGroup + ': ' + itemVariant.VariantName)}}
You have no items in your shopping cart.
Subtotal	{{minicart.cartTotals.SubTotal \| currency : '$' : 2}}

Item

Qty

Total

{{cartItem.ProductName}}
SKU: {{cartItem.ProductSku}}

{{cartItem.Quantity | number : 2}} x {{cartItem.UnitCost | currency : '$' : 2}}

{{itemVariant.VariantHasText ? (itemVariant.VariantName + ': ' + itemVariant.VariantText) : (itemVariant.VariantGroup + ': ' + itemVariant.VariantName)}}

You have no items in your shopping cart.

Subtotal

{{minicart.cartTotals.SubTotal | currency : '$' : 2}}

Image	Item	Qty	Total
	{{cartItem.ProductName}} SKU: {{cartItem.ProductSku}}	{{cartItem.Quantity \| number : 2}} x {{cartItem.UnitCost \| currency : '$' : 2}}	{{cartItem.UnitCost * cartItem.Quantity \| currency : '$' : 2}}
{{itemVariant.VariantHasText ? (itemVariant.VariantName + ': ' + itemVariant.VariantText) : (itemVariant.VariantGroup + ': ' + itemVariant.VariantName)}}
You have no items in your shopping cart.

Image

Item

Qty

Total

{{cartItem.ProductName}}
SKU: {{cartItem.ProductSku}}

{{cartItem.Quantity | number : 2}} x {{cartItem.UnitCost | currency : '$' : 2}}

{{itemVariant.VariantHasText ? (itemVariant.VariantName + ': ' + itemVariant.VariantText) : (itemVariant.VariantGroup + ': ' + itemVariant.VariantName)}}

You have no items in your shopping cart.

SKU

Product Name

Unit Cost

Qty

Line Total

{{itemVariant.VariantHasText ? (itemVariant.VariantName + ': ' + itemVariant.VariantText) : (itemVariant.VariantGroup + ': ' + itemVariant.VariantName)}}

You have no items in your saved shopping cart.

Status	Order No.	Order Date	Ship To	Order Total	Pay Total	Balance
Bill Me Later Open Ready To Ship Shipped Picked Up Cancelled Incomplete On Hold Back Ordered Returned {{order.Status}}	{{order.OrderID}}	{{order.OrderDate \| date : 'M/d/yyyy'}}	{{order.ShipFirstName}} {{order.ShipLastName}}, {{order.ShipAddress1}} {{order.ShipAddress2}}, {{order.ShipCity}}, {{order.ShipState}} {{order.ShipZipcode}}	{{order.GrandTotal \| currency : '$' : 2}}	{{order.PayTotal \| currency : '$' : 2}}	{{order.GrandTotal - order.PayTotal \| currency : '$' : 2}}

Status

Order No.

Order Date

Ship To

Order Total

Pay Total

Balance

Bill Me Later Open Ready To Ship Shipped Picked Up Cancelled Incomplete On Hold Back Ordered Returned {{order.Status}}

{{order.ShipFirstName}} {{order.ShipLastName}}, {{order.ShipAddress1}} {{order.ShipAddress2}}, {{order.ShipCity}}, {{order.ShipState}} {{order.ShipZipcode}}

Home

Product Discus...

SmithCart

BAD BUG: Input sterilization

12/9/2010 7:55 AM

Greg Baughman

Joined: 5/28/2010

Posts: 471

BAD BUG: Input sterilization Modified By Greg Baughman on 12/15/2010 8:38:12 AM

Here's a BIG bug.

Type s'mores into the search box.

Error A critical error has occurred.
Incorrect syntax near 'mores'.

.... this means that input is NOT sterilized, offering an opportunity for SQL injection. I can't even describe what a huge security hole this is.

To fix this, input MUST be sterilized before bouncing to SQL.

To do so (at least in VisualBasic, I'm sure there's something similar in C#) you would do this:

Userinput = REPLACE(Userinput,"'","''") (replace a single ' with two 's)

Userinput = REPLACE(Userinput,CHR(34),"""") (Replace a single " with a double "")

.... this needs to be fixed right away. :(

Additionally, any other text input boxes SHOULD be sterilized. The easiest way to do this is with a function; something like:

UserInput = Sterilize(UserInput)

FUNCTION Sterilize(UserInput)

UserInput = Replace(UserInput,"'","''")

UserInput = Replace(UserInput,CHR(34),"""")

Sterilze = UserInput

End Function

.... this method prevents SQL injection and SQL Errors.

12/9/2010 10:24 AM

Scott Kelly

Joined: 3/11/2010

Posts: 1979

Re: BAD BUG: Input sterilization

I have sent this into programming and will postback with a hotfix. Thanks for reporting it!

-Scott

Scott Kelly
Project Manager
DotNetNuke Consulting, DotNetNuke Store and DNN Ecommerce

12/13/2010 7:14 AM

Cathy Dew

Joined: 3/24/2010

Posts: 33

Re: BAD BUG: Input sterilization

Greg, This is fixed in the just released 3.96 version.

12/14/2010 7:08 AM

Greg Baughman

Joined: 5/28/2010

Posts: 471

Re: BAD BUG: Input sterilization

Awesome.

I have seen people do SQL injection that would make you shudder..... take a simple input form, something benign.... and access the entire database, every record. <<Shudder>>

I've even demonstrated it (at my last job) to the IT department to show THEM the importance of sterilization.