osCommerce News
Recent posts
post item
"Buy Now, Pay Later" with new PayPal for new osCommerce
December 13, 2022
Upgrade PayPal module and osCommerce to offer Buy Now, Pay Later feature to customers. Click here to learn more... ...
post item
osCommerce 4.08 release and Connecting to the App Shop
December 09, 2022
osCommerce 4.08 release notes, including how to connect to the App Shop if you were not able to do it before ...
post item
osCommerce 4.07 release
October 26, 2022
osCommerce 4.07 release notes  ...
post item
FREE osCommerce Design Webinar
October 18, 2022
osCommerce is looking to have a Webinar to demonstrate how to modify existing and create new designs. All interested parties, businesses, designers, and developers, are welcome to indicate their interest to participate by commenting on this post in our Forums: https://forums.oscommerce.com/topic/497631-webinar-oscommerce-design/ See you online soon! ...
post item
osCommerce Apps - free until 1/1/23
October 13, 2022
While the osCommerce team are working hard on adding apps to the App Shop, we have decided to make ALL available osCommerce-made applications free in the App Shop until the 1st of January 2023.  You're welcome to download any app via the App shop, and use it to build your own osCommerce site or such for your client. Your feedback is highly appreciated.  With best wishes, osCommerce team ...
post item
osCommerce 4.05 release
September 21, 2022
osCommerce 4.05 has been released! Read more to find out how to upgrade to the latest version and what has changed ...
post item
Hybrid Ecommerce
August 16, 2022
osCommerce brings a new type of Ecommerce platform to the market - a so called Hybrid Ecommerce. So what is Hybrid Ecommerce? We see it to be the best of both worlds - an open source (and free) Ecommerce solution that is also hosted as if it was SaaS (or EaaS - Ecommerce as a Service). This means users (businesses and developers) do not need to worry about hosting requirements and at the same time have full access to the source code and can change or implement any custom features, integrations, etc. Of course, it is always possible to host osCommerce on your own server! It is just so much easier (and quite likely more cost effective!) to use osCommerce's own hosting solutions.  Hybrid Ecommerce from osCommerce Users can choose to have osCommerce installed for free on one of our servers to try osCommerce before use.  Once satisfied with its features, speed, robustness - they can choose to move to a paid osCommerce hosting account or to download and use osCommerce site on their own server. Move to an osCommerce-managed server is done automatically. Server environment is optimised for osCommerce, allowing it to give the best performance. It is also managed and upgraded with the latest server software. Most importantly, osCommerce installation can be automatically updated to the latest version of osCommerce (and Applications) as well. Any customisations, done right, will stay but all the standard modules and the core of osCommerce will be regularly updated, bringing fixes, changes, new features. Full FTP and mySQL access are offered to businesses and developers should they require such.   ...
post item
osCommerce 4.03 release
August 16, 2022
osCommerce 4.03 has been released. Read more about what's new in the latest version of popular open source free shopping cart! ...
post item
osCommerce 4.02 release
August 09, 2022
osCommerce 4.02 release, update notes, download instructions ...
post item
osCommerce 4.01 release
August 04, 2022
osCommerce 4.01 is available from https://www.oscommerce.com   Changes are available from osCommerce Wiki:  https://wiki.oscommerce.com/index.php?title=Change_Log We will continue working on fixing issues and adding features, osCommerce will be regularly developed and updated. ...
Products

Security Fix For The Exchange Project Preview Release 2.1

Overview
Example
Solution
Notes
Links

Overview

The Exchange Project Preview Release 2.1 [released March 2001] contains a security issue which can be taken advantage of by using the global variable scope that PHP provides.

The security issue concerns the following files:

catalog/includes/include_once.php
admin/includes/include_once.php

The cause of the security issue is the $include_file variable.

If either of the pages are requested directly through a client, the $include_file variable does not get initialized in the local variable scope; because of PHPs global variable scope PHP then automatically checks if $include_file has been set in the GET/POST/COOKIE variable scope.

Example

An example of how the security issue can be exploited via the GET variable scope is shown here:

https://server/catalog/includes/include_once.php?include_file=application_top.php

$include_file is now initialized through the GET variable scope making include_once.php perform the following action:

include('application_top.php');

The file 'application_top.php' is included and the results are shown to the client.

'application_top.php' is a light example of exploiting the security issue. The parameter value can be replaced to allow heavier exploitations which could compromise the server.

Solution

This security issue was fixed in the CVS repository (which contains the development sources to the next project version) one week after Preview Release 2.1 was released, which includes adding a .htaccess file to the following directories:

catalog/includes/
admin/includes/

The latest version of the .htaccess file can be downloaded from the CVS repository:

https://cvs.sf.net/cgi-bin/viewcvs.cgi/tep/catalog/catalog/includes/.htaccess

The .htaccess file, which works only with Apache web servers [that are configured to follow .htaccess files], is set to block direct requests to the 'includes' directory.

For other web servers, and for extra security, the include_once.php file should be replaced with the following:

<?php
  if (strstr($include_file, '..'))
    $include_file = str_replace('..', '', $include_file);

  if (strstr($include_file, '@'))
    $include_file = str_replace('@', '', $include_file);

  if (strstr($include_file, ':'))
    $include_file = str_replace(':', '', $include_file);

  if (isset($include_file) &&
      defined('DIR_WS_INCLUDES') &&
     !defined($include_file . '__') &&
      file_exists($include_file) &&
     !isset($HTTP_GET_VARS['include_file']) &&
     !isset($HTTP_POST_VARS['include_file']) &&
     !isset($HTTP_COOKIE_VARS['include_file']) &&
     !isset($HTTP_SESSION_VARS['include_file']) &&
     !isset($HTTP_POST_FILES['include_file']) &&
     !isset($HTTP_ENV_VARS['include_file'])) {

    define($include_file . '__', 1);
    include($include_file);
  }
?>


Notes

This security issue does not affect versions after Preview Release 2.1; the current development version is osCommerce 2.2-CVS which removes the include_once.php file from usage. The next stable release, osCommerce 2.2, will be the first [non preview-release] stable release the project has made, which focuses on security, stability, compatibility, and performance issues.

Links

This security issue was forwarded to the Bugtraq security mailing list which can be read at:

https://msgs.securepoint.com/cgi-bin/get/bugtraq0206/141.html

A study of common PHP exploitations can be read at:

/

The osCommerce support site is located at:

https://www.oscommerce.com