[ic] SQL Injection?

Bob Puff bob at nleaudio.com
Wed Sep 24 15:18:59 UTC 2014


Peter and Mike: thanks for the reply.  Yes, I have grepped all around, and
have fixed the few sql queries I did find.  But what is still escaping me is
in this list of paremeters:

>
mv_session_id=PC9Bp9yf&mv_searchtype=db&mv_matchlimit=10&mv_sort_field=category&mv_search_
> field=x'%20xor%20sleep(15)%20/*&mv_substring_match=1&mv_searchspec=123

I cannot find where there is a SQL statement that has mv_search_field in it,
so that I can filter it.  This one though obviously is a parameter for a SQL
statement.  Do I need to look inside /usr/local/interchange?

But this one:

>
mv_action=return&mv_nextpage=ord%2Fbilling&mv_failpage=x')%20waitfor%20delay%20'00:00:15'%
>
20/*&mv_form_profile=Check_shipping&fname=123&lname=123&company=123&address1=123&address2=
>
123&city=123&state=123&zip=123&country=123&phone_ship=123&phone_day=123&phone_night=123&em
> ail=123&mv_same_billing=1&email_copy=1&promo_code=123&country_reset=123

They have done their insertion into mv_nextpage, of which I would think would
never hit the SQL, as that is internally used by IC.  I could see if it were
like city or state, which does get inserted into the database, but mv_nextpage?

Bob




More information about the interchange-users mailing list