iScripts MultiCart 2.2 Multiple SQL Injection Vulnerability 
  
 Name              iScripts MultiCart 
 Vendor            http://www.iscripts.com 
 Versions Affected 2.2 
  
 Author            Salvatore Fresta aka Drosophila 
 Website           http://www.salvatorefresta.net 
 Contact           salvatorefresta [at] gmail [dot] com 
 Date              2010-03-07 
  
X. INDEX 
  
 I.    ABOUT THE APPLICATION 
 II.   DESCRIPTION 
 III.  ANALYSIS 
 IV.   SAMPLE CODE 
 V.    FIX 
   
  
I. ABOUT THE APPLICATION 
  
iScripts  MultiCart  2.2 is a unique online shopping cart 
solution  that  enables  you  to  have one storefront and 
multiple  vendors  for physical or digital (downloadable)  
products. 
  
  
II. DESCRIPTION 
  
The  solution adopted to avoid SQL Injection flaws is not 
appropriate.   This  allows  the  existence  of  many SQL  
Injection flaws. 
  
  
III. ANALYSIS 
  
Summary: 
  
 A) Multiple SQL Injection 
   
  
A) Multiple SQL Injection 
  
The  solution adopted  consists in transforming the query 
string in uppercase and  checking  the  existence  of the 
words UNION and SELECT.  But using the C-like comments in 
the query string, it is possible to bypass the filter. 
Example: 
  
SELECT becomes SE/**/LE/**/CT 
UNION  becomes UN/**/ION 
  
The new strings do not match with  the words in the black 
list but they are good for MySQL. 
The following is the affected code (session.php): 
  
$mystring = strtoupper($_SERVER['QUERY_STRING']); 
$server_injec1=strpos($mystring, 'SELECT'); 
$server_injec2=strpos($mystring, 'UNION'); 
  
if (($server_injec1 === false) && ($server_injec2 === false) || ($server_injec1 === '0') && ($server_injec2 === '0'))  
{ 
    ; 
}//end if 
else 
{ 
    header('location:index.php'); 
    exit(); 
} 
  
  
IV. SAMPLE CODE 
  
A) Multiple SQL Injection 
  
http://site/path/refund_request.php?orderid=SQL 
  
  
V. FIX 
  
No Fix.