News

Security Fix For The Exchange Project Preview Release 2.1
18th June 2002 by Harald Ponce de Leon

Overview
Example
Solution
Notes
Links

Overview

The Exchange Project Preview Release 2.1 [released March 2001] contains a security issue which can be taken advantage of by using the global variable scope that PHP provides.

The security issue concerns the following files:

catalog/includes/include_once.php
admin/includes/include_once.php

The cause of the security issue is the $include_file variable.

If either of the pages are requested directly through a client, the $include_file variable does not get initialized in the local variable scope; because of PHPs global variable scope PHP then automatically checks if $include_file has been set in the GET/POST/COOKIE variable scope.

Example

An example of how the security issue can be exploited via the GET variable scope is shown here:

http://server/catalog/includes/include_once.php?include_file=application_top.php

$include_file is now initialized through the GET variable scope making include_once.php perform the following action:

include('application_top.php');

The file 'application_top.php' is included and the results are shown to the client.

'application_top.php' is a light example of exploiting the security issue. The parameter value can be replaced to allow heavier exploitations which could compromise the server.

Solution

This security issue was fixed in the CVS repository (which contains the development sources to the next project version) one week after Preview Release 2.1 was released, which includes adding a .htaccess file to the following directories:

catalog/includes/
admin/includes/

The latest version of the .htaccess file can be downloaded from the CVS repository:

http://cvs.sf.net/cgi-bin/viewcvs.cgi/tep/catalog/catalog/includes/.htaccess

The .htaccess file, which works only with Apache web servers [that are configured to follow .htaccess files], is set to block direct requests to the 'includes' directory.

For other web servers, and for extra security, the include_once.php file should be replaced with the following:

<?php
  if (strstr($include_file, '..'))
    $include_file = str_replace('..', '', $include_file);

  if (strstr($include_file, '@'))
    $include_file = str_replace('@', '', $include_file);

  if (strstr($include_file, ':'))
    $include_file = str_replace(':', '', $include_file);

  if (isset($include_file) &&
      defined('DIR_WS_INCLUDES') &&
     !defined($include_file . '__') &&
      file_exists($include_file) &&
     !isset($HTTP_GET_VARS['include_file']) &&
     !isset($HTTP_POST_VARS['include_file']) &&
     !isset($HTTP_COOKIE_VARS['include_file']) &&
     !isset($HTTP_SESSION_VARS['include_file']) &&
     !isset($HTTP_POST_FILES['include_file']) &&
     !isset($HTTP_ENV_VARS['include_file'])) {

    define($include_file . '__', 1);
    include($include_file);
  }
?>


Notes

This security issue does not affect versions after Preview Release 2.1; the current development version is osCommerce 2.2-CVS which removes the include_once.php file from usage. The next stable release, osCommerce 2.2, will be the first [non preview-release] stable release the project has made, which focuses on security, stability, compatibility, and performance issues.

Links

This security issue was forwarded to the Bugtraq security mailing list which can be read at:

http://msgs.securepoint.com/cgi-bin/get/bugtraq0206/141.html

A study of common PHP exploitations can be read at:

http://www.oscommerce.com/redirect.php/portal,33

The osCommerce support site is located at:

http://www.oscommerce.com

Back to listing