Contributions
Contact Us Form Vunerability Fix
Fix for osCommerce "Contact_us" Cross Site Scripting Vulnerability.
A vulnerability was reported in osCommerce, which can be exploited by attackers to conduct Cross Site Scripting attacks. The problem resides in the "contact_us.php" file when handling the "enquiry" parameter, which may be exploited to cause arbitrary scripting code to be executed by the user's browser.
This contribution gives a fix for this vunerability.
Expand All / Collapse All
 thanks |
Jonathan Mitchell |
2 Jul 2005 |
|
nice !!
just to let you know that you can do the same thing on
checkout_payments.php
checkout_shipping.php
products_reviews_write.php
tell_a friend.php
if you use checkout_shipping.php?comments=%3C/textarea%3E%3Cscript%3Ealert('w00t');%3C/script%3E
do the same for all instances of tep_draw_textarea_filed as you did with the fix below replacing enquiry for the variable used (eg in checkout_shipping.php its comments)
for the checkout_* you need to be logged in and / or attempting to buy something
Thanks for the correct fix stephen :)
the real fix is already there, just not used.
tep_draw_textarea_field($name, $wrap, $width, $height, $text = '', $parameters = '', $reinsert_value = true)
this is the function, just modify the call to this function in the contact_us.php around line 126 where you see:
<td><?php echo tep_draw_textarea_field('enquiry', 'soft', 50, 15); ?></td>
change it to show:
<td><?php echo tep_draw_textarea_field('enquiry', 'soft', 50, 15, tep_sanitize_string($_POST['enquiry']), '', false); ?></td>
this will take the reinsert from the function and allow you to control how the $_POST variable is displayed from the textarea call, and will also take out the $_GET variable so that it can't be hacked that way.
hope this helps some people :D
i just read this -
http://www.utimaco.us/lists/bugtraq/2005/Feb/0255.html
my site was affected (http://budgetcomputers.biz)
it isnt now !!!!
fix:
just after
require('includes/application_top.php');
add the lines
$enquiry = $HTTP_POST_VARS['enquiry'];
$name = $HTTP_POST_VARS['name'];
$email = $HTTP_POST_VARS['email'];
$enquiry = '';
$name = '';
$email = '';
hope that helps
In my 2.2 MS2 version of osC, the fix is already in there as...
if ($enquiry == '') {
$error = true;
$messageStack->add('contact', ENTRY_ENQUIRY_CHECK_ERROR);
}
Check your version before adding this fix because it may be in there already as it was in mine.
Fix for osCommerce "Contact_us" Cross Site Scripting Vulnerability.
A vulnerability was reported in osCommerce, which can be exploited by attackers to conduct Cross Site Scripting attacks. The problem resides in the "contact_us.php" file when handling the "enquiry" parameter, which may be exploited to cause arbitrary scripting code to be executed by the user's browser.
This contribution gives a fix for this vunerability.
Note: Contributions are used at own risk.
This Should Help