ShopSystem SQL Injection vulnerability

Yesterday I discovered a SQL injection vulnerability within the shop software of the German company ShopSystems.

ShopSystems offers webdesign, hosting and training services for their customers. One of their most famous products is the software “ShopSystem”. It is an online shop and allows their customers to offer their products online.

Like in other shops it is possible to provide pictures which show the product being offered. By clicking on the image the view gets enlarged (file: view_image.php) and MySQL injection through the ID parameter is possible.

Vulnerable URL

http://some-cool-domain.tld/shop/view_image.php?id=XX

Exploit vulnerability, e.g. by displaying the current database

http://some-cool-domain.tld/shop/view_image.php?id=XX+AND+1=2+UNION+SELECT+concat(database()),2,3-

Additional information

The MySQL output gets displayed within the image URL, so you have to view the source code of the current page in order to retrieve your information.

I notified the vendor, they replied within hours and fixed the vulnerability this afternoon. It might occur that some shops still suffer from this vulnerability, but the vendor is working on it.

View the full advisory here.

Update from 7th April 2010: The vendor just notified me that all shops are now secured.