Security Fix For The Exchange Project Preview Release 2.1

Overview
Example
Solution
Notes
Links

Overview

The Exchange Project Preview Release 2.1 [released March 2001] contains a security issue which can be taken advantage of by using the global variable scope that PHP provides.

The security issue concerns the following files:

catalog/includes/include_once.php
admin/includes/include_once.php

The cause of the security issue is the $include_file variable.

If either of the pages are requested directly through a client, the $include_file variable does not get initialized in the local variable scope; because of PHPs global variable scope PHP then automatically checks if $include_file has been set in the GET/POST/COOKIE variable scope.

Example

An example of how the security issue can be exploited via the GET variable scope is shown here:

https://server/catalog/includes/include_once.php?include_file=application_top.php

$include_file is now initialized through the GET variable scope making include_once.php perform the following action:

include('application_top.php');

The file 'application_top.php' is included and the results are shown to the client.

'application_top.php' is a light example of exploiting the security issue. The parameter value can be replaced to allow heavier exploitations which could compromise the server.

Solution

This security issue was fixed in the CVS repository (which contains the development sources to the next project version) one week after Preview Release 2.1 was released, which includes adding a .htaccess file to the following directories:

catalog/includes/
admin/includes/

The latest version of the .htaccess file can be downloaded from the CVS repository:

https://cvs.sf.net/cgi-bin/viewcvs.cgi/tep/catalog/catalog/includes/.htaccess

The .htaccess file, which works only with Apache web servers [that are configured to follow .htaccess files], is set to block direct requests to the 'includes' directory.

For other web servers, and for extra security, the include_once.php file should be replaced with the following:

<?php
  if (strstr($include_file, '..'))
    $include_file = str_replace('..', '', $include_file);

  if (strstr($include_file, '@'))
    $include_file = str_replace('@', '', $include_file);

  if (strstr($include_file, ':'))
    $include_file = str_replace(':', '', $include_file);

  if (isset($include_file) &&
      defined('DIR_WS_INCLUDES') &&
     !defined($include_file . '__') &&
      file_exists($include_file) &&
     !isset($HTTP_GET_VARS['include_file']) &&
     !isset($HTTP_POST_VARS['include_file']) &&
     !isset($HTTP_COOKIE_VARS['include_file']) &&
     !isset($HTTP_SESSION_VARS['include_file']) &&
     !isset($HTTP_POST_FILES['include_file']) &&
     !isset($HTTP_ENV_VARS['include_file'])) {

    define($include_file . '__', 1);
    include($include_file);
  }
?>


Notes

This security issue does not affect versions after Preview Release 2.1; the current development version is osCommerce 2.2-CVS which removes the include_once.php file from usage. The next stable release, osCommerce 2.2, will be the first [non preview-release] stable release the project has made, which focuses on security, stability, compatibility, and performance issues.

Links

This security issue was forwarded to the Bugtraq security mailing list which can be read at:

https://msgs.securepoint.com/cgi-bin/get/bugtraq0206/141.html

A study of common PHP exploitations can be read at:

/

The osCommerce support site is located at:

https://www.oscommerce.com

 

Recent posts

Time limited offer to mark the arrival of osCommerce v4!

May 24, 2022
Valuable REWARDS to all Subscribers of osCommerce newsletter:   - 10 native osCommerce applications +   - discounted osCommerce hosting for 1 shop Subscribe now ...

osCommerce v4 Beta 2 Released

January 26, 2022
osCommerce v4 Beta 2 has been released today! Current Beta is closer to the planned release version. We have removed a number of add-ons to simplify the installation. They will be re-instated via the App store, most of them free. Beta 2 comes with: - installation tool - 2 demo front ends - osCommerce back end - data import tool to migrate data from old osCommerce 2.x - instructions on how to submit your feedback Download links have been emailed to all Beta testers. If you have not received your link, please check your "spam" folder just in case, and contact us via this Forum to have the link re-sent to you. If you wanted to try Beta 2 but didn't sign up - get in touch with us via the Forum or via the Contact form on the website and we will sort it for you. osCommerce v4 will be released shortly as a powerful modern modular optimised FREE open source Ecommerce solution! Kind regards, osCommerce team   ...

osCommerce v4 Beta 1 Released

November 17, 2021
osCommerce v4 Beta 1 has been made available to a limited number of first reviewers today. We will work with the feedback we receive over the next couple of weeks, and will release Beta 2 to registered Beta-testers in early December 2021. Want to become a Beta tester? Contact us via the main website to register your interest now and receive access to Beta 2 in December! Providing we continue to receive reasonable feedback from the Beta testers we are looking to launch osCommerce v4 in early January 2022. Keep checking the Forums for updates. The wait is over!   ...

osCommerce v4 features: Order Editor, Gift Vouchers, Loyalty points, Currencies and Rounding

March 19, 2021
Working through the feature list of osCommerce v4: Order Editor and MOTO orders: https://forums.oscommerce.com/topic/496930-order-editor/?tab=comments#comment-1821801 Gift Vouchers: https://forums.oscommerce.com/topic/496929-gift-vouchers/?tab=comments#comment-1821800 Loyalty points: https://forums.oscommerce.com/topic/496924-loyalty-or-bonus-points/?tab=comments#comment-1821793 Currencies and Rounding: https://forums.oscommerce.com/topic/496921-currencies-and-rounding/?tab=comments#comment-1821738 Have any questions or comments? Feel free to post them here! Questions about osCommerce shall be emailed to  hello@oscommerce.com Development Partners and Beta Testers are always welcome! Please sign up via our  Contact Page . We will notify you when the Beta version becomes available (likely in June 2021). Development Partners - we will make preview versions available to you, please indicate your interest when signing up for the Beta Program.   ...

osCommerce v4 updates: Payments, Shipping, Shipping Labels, Order Totals

March 12, 2021
Update on osCommerce v4 feature list Payment methods: https://forums.oscommerce.com/topic/496907-payment-methods/ Shipping solutions: https://forums.oscommerce.com/topic/496910-shipping-methods/ Shipping labels: https://forums.oscommerce.com/topic/496911-shipping-labels/ Order structure management: https://forums.oscommerce.com/topic/496912-order-structure-totals-modules/ Have any questions or comments? Feel free to post them here! Questions about osCommerce shall be emailed to  hello@oscommerce.com Development Partners and Beta Testers are always welcome! Please sign up via our  Contact Page . We will notify you when the Beta version becomes available (likely in June 2021). Development Partners - we will make preview versions available to you, please indicate your interest when signing up for the Beta Program.   ...

osCommerce v4 news: SEO and Menu Editor

March 06, 2021
osCommerce v4 features continue to be revealed. Today we published preview of on-site SEO system in osCommerce v4 on our Forums: https://forums.oscommerce.com/topic/496884-search-engine-optimisation-seo/ and its Menu editor: https://forums.oscommerce.com/topic/496886-menu-editor/ Questions about osCommerce shall be emailed to  hello@oscommerce.com Development Partners and Beta Testers are always welcome! Please sign up via our  Contact Page . We will notify you when the Beta version becomes available (likely in June 2021). Development Partners - we will make preview versions available to you, please indicate your interest when signing up for the Beta Program.   ...

osCommerce v4 news: Multiple Design Templates and Template Designer

March 02, 2021
osCommerce v4 features are being revealed. Today we share information about Design Templates and Template Designer of osCommerce v4 on our Forums: https://forums.oscommerce.com/topic/496786-multiple-design-templates-and-built-in-designer/ Questions about osCommerce shall be emailed to  hello@oscommerce.com Development Partners and Beta Testers are always welcome! Please sign up via our  Contact Page . We will notify you when the Beta version becomes available (likely in June 2021). Development Partners - we will make preview versions available to you, please indicate your interest when signing up for the Beta Program.   ...

New management and osCommerce v4

February 19, 2021
Assert Record Run SnapTest ...

Phoenix v1.0.7.15

February 10, 2021
v1.0.7.15 is a bugfix release. This should be considered the second release candidate for 1.0.8.0. Easy Updates Easy update zip and instructions are provided in the Phoenix Club for every minor and major update. Going from version to version could not be easier - you are supported by the Phoenix Team,  Certified Developers , and other Shop owners. This update takes 100 seconds from start to finish. Have your say at the Phoenix Club Instead of waiting for a perfect tomorrow, help us make a better today by joining the  Phoenix Club . Thank you Thank you to all Shop owners and Developers who are supporting the Project - you allow Phoenix to fly high and burn brightly.   ...

Phoenix v1.0.7.14

January 26, 2021
v1.0.7.14 is the final development release of the 1.0.7.* series. It finishes the templates system, including the ability to override the HTML templates and the language files. This should be considered the first release candidate for 1.0.8.0. Easy Updates Easy update zip and instructions are provided in the Phoenix Club for every minor and major update. Going from version to version could not be easier - you are supported by the Phoenix Team,  Certified Developers , and other Shop owners. This update takes 100 seconds from start to finish. Have your say at the Phoenix Club Instead of waiting for a perfect tomorrow, help us make a better today by joining the  Phoenix Club . Thank you Thank you to all Shop owners and Developers who are supporting the Project - you allow Phoenix to fly high and burn brightly.   ...
Products