I think I found a variable that's not sanitized and could lead to a SQL Injection or information disclosure.
The source is openbay.php:
$carrier = $this->request->post['carrier_other'][$order_id];
As I checked under OpenCart documention Request class uses htmlspecialchars() and encodes double quotes
so it's still possible to use single quote right? Most of your database queries use escape() to prevent that from
happening. I found one that don't use escape before going to a SQL query.
So we have this line:
$carrier = $this->request->post['carrier_other'][$order_id];
(...)
$this->model_openbay_amazon->updateAmazonOrderTracking($order_id, $carrier, $carrier_from_list, !empty($carrier) ? $this->request->post['tracking'][$order_id] : '');
After this it calls amazon.php file:
public function updateAmazonOrderTracking($order_id, $courier_id, $courier_from_list, $tracking_no) {
$this->db->query("
UPDATE " . DB_PREFIX . "amazon_order
SET courier_id = '" . $courier_id . "', courier_other = " . (int)!$courier_from_list . ", tracking_no = '" . $tracking_no . "'
WHERE order_id = " . (int)$order_id . "");
}
Because the single quote is not escaped and Query class uses single quote to delimiter possible SQL Injection
in place.
A possible solution is to use escape() function on courier_id.
I hope I'm not mistaken and feel free to give me your feedback.
Best,
The text was updated successfully, but these errors were encountered:
Hi,
I think I found a variable that's not sanitized and could lead to a SQL Injection or information disclosure.
The source is openbay.php:
$carrier = $this->request->post['carrier_other'][$order_id];
As I checked under OpenCart documention Request class uses htmlspecialchars() and encodes double quotes
so it's still possible to use single quote right? Most of your database queries use escape() to prevent that from
happening. I found one that don't use escape before going to a SQL query.
So we have this line:
$carrier = $this->request->post['carrier_other'][$order_id];
(...)
$this->model_openbay_amazon->updateAmazonOrderTracking($order_id, $carrier, $carrier_from_list, !empty($carrier) ? $this->request->post['tracking'][$order_id] : '');
After this it calls amazon.php file:
public function updateAmazonOrderTracking($order_id, $courier_id, $courier_from_list, $tracking_no) {
$this->db->query("
UPDATE
" . DB_PREFIX . "amazon_orderSET
courier_id= '" . $courier_id . "',courier_other= " . (int)!$courier_from_list . ",tracking_no= '" . $tracking_no . "'WHERE
order_id= " . (int)$order_id . "");}
Because the single quote is not escaped and Query class uses single quote to delimiter possible SQL Injection
in place.
A possible solution is to use escape() function on courier_id.
I hope I'm not mistaken and feel free to give me your feedback.
Best,
The text was updated successfully, but these errors were encountered: