CartWeaver SQL Injection holes

Posted At : April 26, 2006 8:29 AM
Related Categories: Security,ColdFusion

The ColdFusion version of CartWeaver has some security vulnerabilities that were discovered. French security company FrSIRT has released an announcement about the holes, also stating that there are no known vendor patches available. Apparently CartWeaver v. version 2.16.11 and prior are affected (2.16.11 is the latest version). These are SQL injection holes, and it looks like they didn't use cfQueryParam.

This brings back the discussion that occurred in the comments of one of my recent posts. A couple of SQL server fans were telling me that you don't really have to worry about SQL injection problems in SQL server, because "if your code is susceptible to SQL injection you're screwed no matter what." Well, what if you purchase a third party product like CartWeaver? Are you going to feel safe trusting their code, when SQL Server allows SQL injection of the multiple-queries-in-one-statement type? This is why Oracle, DB2 and others don't allow multiple queries in one cfquery tag.

Comments (7) | Print | del.icio.us | Digg It! | Linking Blogs | 1816 Views
Comments
[Add Comment]
People should just stop using inline SQL and move to stored procedures abstracted in data access objects. I personally wouldn't hire or buy a product written so poorly.
# Posted By Claude | 4/26/06 11:37 PM
...and people SHOULD just stop driving cars and ride bicycles to work every day.
# Posted By Jay Greer | 4/28/06 11:08 PM
- Cartweaver 2.17.11 update released -

This free incremental update is released to address a potential issue with erroneous values passed to a query in a URL variable. Cartweaver 2 CF has always used Custom Error handling to present benign error messages to the user should erroneous query string data be passed to a CFQuery. However, there is the potential of a developer/user disabling the custom error feature in order to see the complete CF Error information during the development and set up of a Cartweaver based site, and then mistakenly publishing the site to the live server with Enable Error Handling still disabled.

Due to ColdFusions elegant method of handling query string data, no real threat was present to the data stored in the database and due to the fact that Cartweaver does not store sensitive credit data, there was no chance of any customer financial data being compromised. However the error messages presented by ColdFusion in this sort of a query failure could reveal application data that may not be intended to be visible to the public  such as database table and field names. This update to Cartweaver corrects this issue by scrubbing the erroneous or mis-formatted query string values and presenting the user with either valid search results or a no product found style message for product details.

To avoid the potential of problems with erroneous or malicious query strings we recommend Cartweaver users apply this update to their sites. If an update is not possible we encourage users to make sure that the default Error Handling is turned on.

This update release is part of our on-going efforts to make Cartweaver the best choice in ecommerce solutions.

If you have any questions, please fill out our contact form at: http://www.cartweaver.com/contact/

Thank you.
Cartweaver Development Team.
www.cartweaver.com
# Posted By Lawrence Craner | 4/29/06 11:47 AM
Has anyone verified that this patch does address the bugs in the security bulletin? I'm a bit confused by Cartweaver's statement that their error handler would prevent problems...I've never heard of an error handler prevent SQL injection attacks!
# Posted By John Pfeiffer | 4/29/06 1:10 PM
I don't have access to CartWeaver, but I admit I was confused by their press release as well. Maybe they really did fix some bugs, but their press release tries to down play the original holes.
# Posted By yacoubean | 4/29/06 1:47 PM
I agree. It makes me wonder if they really don't understand these security issues the way they should.

As for stored procedures, that can be hard to do with packaged products like this, since most need to be able to work with multiple databases like MSSQL, MySQL and yes, even Access (I know, it sucks...but the simple fact is many small stores still use it). So I don't have a problem with them not using SP's. But they ought to understand the security issues when you don't!
# Posted By Pete Hughes | 4/29/06 3:44 PM
Just to clear up any confusion my previous post may have caused… We do fully understand what SQL Injection is, and fixed the problem immediately, and released an update with the necessary “params” set to block any attempts. We have since released V3 which is secured against SQL Injection attempts as well. Now the reason I brought up the custom error handling is, if you force an error and you are simply displaying the default CF error message, you end up exposing database structure and possibly you data source name. This is all information you do not want to make public. And in the case of individuals that are inclined to try a SQL Injection attack, why make their job easier by providing them the database information they need to do so. So like the news release stated… Users should have all updated, but for those who for whatever reason did not, they should at least make sure they don’t display database information if an error occurs. The truth of the matter, in a distributed application, people can still find this data by looking at other sites and other means… But at the least, you don’t want to make it easy to do so. This is a preventative measure, but it is NOT a solution. The solution is to update or upgrade, which is what we told all of our users in a customer email.

Hope this clears things up.

Thanks.

Lawrence Cramer
Cartweaver.com
# Posted By Lawrence Cramer | 6/18/07 11:25 AM
[Add Comment]
BlogCFC was created by Raymond Camden. This blog is running version 5.9. Contact Blog Owner