FishNet(R)'s Shopping Cart and Online Catalog Management System
 
FishCart Demo

Features
Features v3.1
Features v3.2

Developers' Blog

Examples

Licensing

Download

Documentation

Support

Mailing Lists

List Archives
and Search

Prompt
Translation

User
Contributed
Code

 

Response to two Bugtraq posts regarding FishCart

1. A report of SQL injection in FishCart was sent to the bugtraq mailing list on May 5, 2005 by 'dcrab'.

As best we could determine the SQL injection claims were misleading. The original post at http://www.securityfocus.com/archive/1/397484 shows invalid SQL statements, not SQL injection. We found that the URL he had posted was artificially composed, not one found in normal FishCart operation, and it turned up a coding bug that explained the SQL errors; there was no SQL injection that we found in extensive testing. We also had some trouble reproducing some of the XSS errors, and others were not in released FishCart code. That said, we took the claims seriously and immediately went to work to improve general error hardening.

A fix was worked out among the developers and incorporated into the source in mid May 2005. A version 3.x patch was derived from the source changes and sent to the FishCart mailing list on May 21, 2005 for installed FishCarts to patch against the dcrab reported bug.

2. Another report of SQL injection in FishCart was sent to the bugtraq mailing list on January 22, 2006 by saps.audit AT gmail DOT com.

Again the exploit URL sent to bugtraq was an artificially composed one that would not normally occur in FishCart operation. We found only SQL run time errors, not SQL injection errors, due to a latent coding bug turned up by the artificial URL. A fix was found and applied to source the same day to harden against this particular error.

Update 2007/01/23:

An error was discovered in the XSS filtering regular expression that removes potentially harmful characters from passed parameters. The release 3.2 RC2 fixes this regular expression. A manual fix for installed FishCarts can be applied by replacing the xss_meta() function in the functions.php file. The new xss_meta() code can be seen by clicking here.

In our view the 3.2 RC2 FishCart code is resilent against SQL injection and XSS errors; that said, we understand that security is a complex situation, and if any such bugs turn up in the future we will quickly respond.

We have added AES-128 encryption to strengthen the security of FishCart. While retention of the credit card information is not enabled by default, and is in fact seriously discouraged, there may be times when orders must be processed on a batch basis that requires the credit card information to be retained for a brief time. FishCart now has the ability to strongly encrypt the financial information with AES-128. Optionally, all customer information such as name, address and so forth can be strongly encrypted as well to help prevent identity theft should the raw FishCart customer data ever be compromised.

Return to the home page

FishNet ®, Inc.
850 S. Greenville, Suite 102
Richardson, Texas 75081 US
(972) 669-0041