Noah Classifieds Open to attacks like SQL injection etc.

websmart · #1 (**permalink**) 09-15-06, 09:54 AM

This was posted way back in February 2006 but not much discussion
was undertaken. I am sure thousands at least sites are using Noah's
Classifieds due to their features but the security advisory have made
me look elsewhere for classifieds solution.

Check this out and see how Noah's is open to SQL injection, Cross
site scripting etc.
http://www.derkeiler.com/Mailing-Lis.../msg00413.html

Anybody knows fix/patch for this ? Or alternative feature rich classified
script which is secure also ?

The Noah people have refused to make any modifications as mentioned
there :
Vendor`s website:

Quote:

"Currently, we are completely overloaded with our
running projects, and we don't have enough time to deal with our free
products.
The further development and support of Noah's
Classifieds is therefore suspended.
Thank you for the understanding and please forgive us
that we don't responding to the emails."

Credit :
---------
Discovered & released by trueend5 (trueend5 kapda ir)
Security Science Researchers Institute Of Iran
[http://www.KAPDA.ir]

End User · #2 (**permalink**) 09-15-06, 12:22 PM

Maybe I'm missing something, but it doesn't look like this would be a huge deal to modify it so as to strip out malicious stuff. Some simple length checks and/or preg_replace statements should do it.

websmart · #3 (**permalink**) 09-16-06, 08:38 AM

The site link I have posted means somebody can take
full control of your Noah's classifieds. I dont know at
how many places you have to keep preventing SQL
inject and cross-site scripting etc. and how effectively
to do it.

Program authors can do it easily as they should know
all code by heart and as their script is used at lot of
places if I am them I would feel obliged to modify the
code a bit.

After reading their response, I have studied more options
and decided to go for feature rich Lite version of GeoClassifieds
from GeoDesic people.

mab · #4 (**permalink**) 09-16-06, 10:14 AM

I am glad you found an alternative. A product that has been abandoned by its author is pretty much a dead end.

My 2 cents - Nothing kills the trust and reputation of a company and then kills the actual company faster than non support and non interest, especially if a statement of the non support and non interest is posted on the company's web site. After all, some or all of the same programmers that wrote the application with these uncorrected security problems are still there producing code for their "for pay" offerings.

websmart · #5 (**permalink**) 09-17-06, 03:09 AM

I have found discussions on SQL injections on Noah

http://www.noah.inv.pl/component/opt...id,86/catid,8/

They have suggested changes in code and if it covers
all aspects of injection, I will modify the files as per new
code.

I dont know if their licence terms allow for upload of
their changed files to anywhere like these forums.