osCommerce News
Recent posts
post item
Installing Opayo Server by Elavon and Opayo by Elavon Modules for osCommerce 2.2 via Zip File
April 18, 2024
Installing Opayo Server by Elavon and Opayo by Elavon Modules for osCommerce 2.2 via Zip File ...
post item
Installing Opayo Server by Elavon and Opayo by Elavon Modules for osCommerce 2.2 via Installer
April 17, 2024
Installing Opayo Server by Elavon and Opayo by Elavon Modules for osCommerce 2.2 via Installer ...
post item
Managing User Group Extra Discounts
April 16, 2024
Managing User Group Extra Discounts ...
post item
Managing Zero Price Module
April 15, 2024
Managing Zero Price Module ...
post item
Managing VAT On Order
April 12, 2024
Managing VAT On Order ...
post item
Managing Trustpilot Module
April 11, 2024
Managing Trustpilot Module ...
post item
Managing Support System
April 10, 2024
Managing Support System ...
post item
Managing Opayo Server Module
April 09, 2024
Managing Opayo Server Module ...
post item
Managing United States Postal Service (USPS) Shipping
April 07, 2024
Managing United States Postal Service (USPS) Shipping ...
post item
Managing UPS Shipping
April 05, 2024
Managing UPS Shipping ...
Products
Tags

Management

Ecommerce

Integrations

newsite

launch

grant

fund

replatforming

osCommerce 4.x

shopping cart

hosting

Installation

New PayPal Module (Latest API 2.0)

osCommerce 2.2

osCommerce 2.3

Shopping cart customizations

Manually

PayPal Express

APM (Alternative Payment Method)

Standard Variant

Advanced Variant

Configuration

Testing

Front End

Install osCommerce for Me

Let me install myself

Multiple sales channels

Single active sales channel

Installation on your own server

Assigning theme to sales channel

Deleting sales channel

Connect

App Shop

Adding Free Module

Admin Area

Adding Paid Module

Installing Module

Opayo Pi Module

Development Mode

Email Verification Before Registration

Managing Languages

Managing phpMussel

Managing Orders

oscommerce.com account

Creating Manual Orders

Managing Customers

Managing Customer Groups

Managing Brands

Managing Categories

Managing Filters on Categories

Managing Products

Managing Stock

Assigning Products and Categories to Front Ends

Assigning and Moving Products to Categories

Managing Default Sort Order on Product Listing and Category

Managing Cross-Sell and UPSell

Managing Reviews

Managing Attributes

Managing Product Groups

Managing Properties

Managing Suppliers

Managing Warehouses

Managing Sales Statistics and Purchase Report

Managing Stocktaking Costs

Managing Deleted Orders

Managing Coupons

Managing Virtual Gift Cards

Managing Sales Price

Managing Giveaways

Managing Featured Products

Managing SEO

Managing Meta Tags

Managing XML Sitemap

Settings of E-commerce Tracking for Google Tag Manager

Setting up GA4

Managing Pages

Managing Menus

Assigning Theme to Sales Channels

Deleting Sales Channels

Managing Translations

Managing Email Templates

Managing Catalog Pages

Managing Shipping Modules

Managing Payment Modules

Managing Order Structure

Managing Socials

Managing Extensions

Managing Managers

Managing Access Levels

Managing Back End Menu

Managing Configuration

Mail Sending via SMTP

Setting up SMTP

Status Groups

Order Statuses

Comment Templates

Stock Indication

Notify Me when in Stock

Stock Delivery Terms

Cross Sell Type

Cache Control

Filters

Managing Countries

Managing Counties and States

Geo Zones

Managing Cities

city settings

Postal Codes

Managing Taxes

Managing Currencies

Backups

Viewing Who is Online

Managing IP Restriction

Error Log Viewer

Creating Installation

Address Formats

Image Settings

Sales Tags

Managing Front Ends

Managing App Shop

Going Live with osCommerce

Affiliate Module

Awin Module

B2B Module

Business To Business module

Bazaarvoice Module

Managing Blog

Collection Points

Managing Competitors

Customer Code Module

Customer Modules Module

Customer Multi Emails Module

Customer Products Module

Delayed Despatch Module

Delivery Options Module

Fraud Address Module

Frontend Session Module

Invoice Number Format Module

Maximum Order Quantity

Merge Customers Module

Merge Orders Module

Minimum Order Quantity

Neighbour Module

One Trust Module

Order Flags and Markers

Pack Units

Covered by Coupon Module

Klarna Module

LiqPay Module

Mollie Pay

Pay360 by Capita Module

pxPay Module

RBS WorldPay Module

Tyl by NatWest Module

Personal Catalog

Personal Discount Module

Product Bundles

Product Collections

Product Easy View

Product Global Sort

Product Ignored Payment Methods

Product Ignored Shipping Methods

Product Press Reviews

Product Relocation

Managing Refer Friend

Bookkeeping Detail Report

Changes History Report

Compare Report

Deficit Product Report

Emails History Report

Report by Email Module

Expected Products Report

Managing Freeze Stock

In Cart Stock Report

Low Stock Report

Manufacturer Sales Report

Ordered Products Report

Purchase Report

Stock by Manufacturer Report

Summary Report

Updating Opayo Pi Module

Updating Opayo Server Module

Temporary Stock Report

Universal Log Report

Managing Search Plus

Managing DHL Shipping

Managing FedEx Shipping

Managing German Post Shipping

Managing Google Zones Shipping

Managing Nova Poshta Shipping

Managing Personal Rate UPS Shipping

Managing TNT Express Shipping

Managing UPS Shipping

Managing United States Postal Service Shipping

Managing USPS Shipping

Opayo Server Module

Managing Support System

Managing Trustpilot Module

Managing VAT On Order

Zero Price Module

User Group Extra Discounts

Installing Opayo Server by Elavon for osCommerce 2.2 via Installer

Installing Opayo by Elavon for osCommerce 2.2 via Installer

Installing Opayo Server for osc2.2 via Zip File

Installing Opayo for osc2.2 via Zip File

Issue #33: December 16, 2003

By Harald Ponce de Leon

December 16, 2003

osCommerce 2.2 Milestone 1 SQL Injection Vulnerability
Forum Searching
Development Progress
E-Commerce Regulations

Discussions regarding this weekly report can be found here:

https://www.oscommerce.com/forums/index.php?showtopic=70525

osCommerce 2.2 Milestone 1 SQL Injection Vulnerability

An SQL injection vulnerability exists in osCommerce 2.2 Milestone 1, due to variable types not being checked which has been addressed in the 2.2 Milestone 2 release.

The reported vulnerability exists during the customer account creation procedure, specifically in the create_account_process.php file, with the user submited country value being used rawly in SQL queries.

The functions involved in processing the vulnerable SQL queries are defined in includes/functions/general.php, and are called tep_get_zone_name() and tep_get_countries().

It is strongly recommended for stores running on 2.2 Milestone 1 to download the update package, to read the documentation within, and to apply the updates appropriately.

Although only two functions are vulnerable in this report, other functions could also be affected due to variable types not being checked. A replacement for the includes/functions/general.php file is provided in the update package to minimize further injection possibilities from occuring.

Although no further SQL injection reports are known, and as variable checking was implemented in 2.2 Milestone 2, Milestone 1 will remain in the risk zone, and is therefore recommended to update the remaining SQL queries appropriately or to upgrade to Milestone 2. Further information is available in the update package.

The update package can be downloaded here:

https://www.oscommerce.com/ext/oscommerce-22ms1-20031216.tar.gz

Forum Searching

The default searching algorithm for the forums has changed from an "or" based algorithm, to an "and" based algorithm.

This changes the results returned by returning posts containing all words searched for, instead of any words searched for.

Searches for "payment module" will now return posts containing both words, instead of either.

If the "or", or either, method is preferred, searching for "payment or module" is now required and will only return posts containing either words.

Development Progress

The following new classes have been implemented into CVS:

* osC_Customer
* osC_Session
* osC_Tax

All variables are now called in their respective scope, making the Catalog register_globals compatible, which includes using the new super global variables introduced in PHP 4.1.

Changes to the currencies class will be commited this week, which improves performance by querying the tax rate only when DISPLAY_PRICES_WITH_TAX is enabled.

The list of incompatibilities between Milestone 2 and Milestone 3 can be viewed on the Wiki site at the following address:

https://www.oscommerce.com/wiki/proposalMS2MS3Incompatibilities

Discussions regarding the progress of Milestone 3 are held in the following forum thread:

https://www.oscommerce.com/forums/index.php?showtopic=66462

E-Commerce Regulations

New parameters will be introduced to enable features legally needed in some countries, and to disable the same features where not needed.

The initial list of features that will be controlled via parameters can be seen on Workboard entry 69. The first feature of forcing the customer to accept the terms and conditions when proceeding through the checkout procedure has been implemented in CVS.

The second feature of forcing the customer to agree to the privacy notice when creating an account will be commited to CVS during the week.

Discussions regarding Workboard entry 69 are held in the following forum thread:

https://www.oscommerce.com/forums/index.php?showtopic=68739

 

You can further discuss it on our Forum