osCommerce News
Recent posts
post item
Managing Product Ignored Shipping Methods
February 22, 2024
Managing Product Ignored Shipping Methods ...
post item
Managing Product Ignored Payment Methods
February 21, 2024
Managing Product Ignored Payment Methods ...
post item
Managing Product Global Sort
February 20, 2024
Managing Product Global Sort ...
post item
Managing Product Easy View
February 19, 2024
Managing Product Easy View ...
post item
Managing Product Collections
February 16, 2024
Managing Product Collections ...
post item
Managing Product Bundles
February 15, 2024
Managing Product Bundles ...
post item
Managing Personal Discount Module
February 14, 2024
Managing Personal Discount Module ...
post item
Managing Personal Catalog
February 13, 2024
Managing Personal Catalog ...
post item
Managing Tyl by NatWest Module
February 12, 2024
Managing Tyl by NatWest Module ...
post item
Managing RBS WorldPay Module
February 09, 2024
Managing RBS WorldPay Module ...
Products
Tags

Management

Ecommerce

Integrations

newsite

launch

grant

fund

replatforming

osCommerce 4.x

shopping cart

hosting

Installation

New PayPal Module (Latest API 2.0)

osCommerce 2.2

osCommerce 2.3

Shopping cart customizations

Manually

PayPal Express

APM (Alternative Payment Method)

Standard Variant

Advanced Variant

Configuration

Testing

Front End

Install osCommerce for Me

Let me install myself

Multiple sales channels

Single active sales channel

Installation on your own server

Assigning theme to sales channel

Deleting sales channel

Connect

App Shop

Adding Free Module

Admin Area

Adding Paid Module

Installing Module

Opayo Pi Module

Development Mode

Email Verification Before Registration

Managing Languages

Managing phpMussel

Managing Orders

oscommerce.com account

Creating Manual Orders

Managing Customers

Managing Customer Groups

Managing Brands

Managing Categories

Managing Filters on Categories

Managing Products

Managing Stock

Assigning Products and Categories to Front Ends

Assigning and Moving Products to Categories

Managing Default Sort Order on Product Listing and Category

Managing Cross-Sell and UPSell

Managing Reviews

Managing Attributes

Managing Product Groups

Managing Properties

Managing Suppliers

Managing Warehouses

Managing Sales Statistics and Purchase Report

Managing Stocktaking Costs

Managing Deleted Orders

Managing Coupons

Managing Virtual Gift Cards

Managing Sales Price

Managing Giveaways

Managing Featured Products

Managing SEO

Managing Meta Tags

Managing XML Sitemap

Settings of E-commerce Tracking for Google Tag Manager

Setting up GA4

Managing Pages

Managing Menus

Assigning Theme to Sales Channels

Deleting Sales Channels

Managing Translations

Managing Email Templates

Managing Catalog Pages

Managing Shipping Modules

Managing Payment Modules

Managing Order Structure

Managing Socials

Managing Extensions

Managing Managers

Managing Access Levels

Managing Back End Menu

Managing Configuration

Mail Sending via SMTP

Setting up SMTP

Status Groups

Order Statuses

Comment Templates

Stock Indication

Notify Me when in Stock

Stock Delivery Terms

Cross Sell Type

Cache Control

Filters

Managing Countries

Managing Counties and States

Geo Zones

Managing Cities

city settings

Postal Codes

Managing Taxes

Managing Currencies

Backups

Viewing Who is Online

Managing IP Restriction

Error Log Viewer

Creating Installation

Address Formats

Image Settings

Sales Tags

Managing Front Ends

Managing App Shop

Going Live with osCommerce

Affiliate Module

Awin Module

B2B Module

Business To Business module

Bazaarvoice Module

Managing Blog

Collection Points

Managing Competitors

Customer Code Module

Customer Modules Module

Customer Multi Emails Module

Customer Products Module

Delayed Despatch Module

Delivery Options Module

Fraud Address Module

Frontend Session Module

Invoice Number Format Module

Maximum Order Quantity

Merge Customers Module

Merge Orders Module

Minimum Order Quantity

Neighbour Module

One Trust Module

Order Flags and Markers

Pack Units

Covered by Coupon Module

Klarna Module

LiqPay Module

Mollie Pay

Pay360 by Capita Module

pxPay Module

RBS WorldPay Module

Tyl by NatWest Module

Personal Catalog

Personal Discount Module

Product Bundles

Product Collections

Product Easy View

Product Global Sort

Product Ignored Payment Methods

Product Ignored Shipping Methods

Security Fix For The Exchange Project Preview Release 2.1

Overview
Example
Solution
Notes
Links

Overview

The Exchange Project Preview Release 2.1 [released March 2001] contains a security issue which can be taken advantage of by using the global variable scope that PHP provides.

The security issue concerns the following files:

catalog/includes/include_once.php
admin/includes/include_once.php

The cause of the security issue is the $include_file variable.

If either of the pages are requested directly through a client, the $include_file variable does not get initialized in the local variable scope; because of PHPs global variable scope PHP then automatically checks if $include_file has been set in the GET/POST/COOKIE variable scope.

Example

An example of how the security issue can be exploited via the GET variable scope is shown here:

https://server/catalog/includes/include_once.php?include_file=application_top.php

$include_file is now initialized through the GET variable scope making include_once.php perform the following action:

include('application_top.php');

The file 'application_top.php' is included and the results are shown to the client.

'application_top.php' is a light example of exploiting the security issue. The parameter value can be replaced to allow heavier exploitations which could compromise the server.

Solution

This security issue was fixed in the CVS repository (which contains the development sources to the next project version) one week after Preview Release 2.1 was released, which includes adding a .htaccess file to the following directories:

catalog/includes/
admin/includes/

The latest version of the .htaccess file can be downloaded from the CVS repository:

https://cvs.sf.net/cgi-bin/viewcvs.cgi/tep/catalog/catalog/includes/.htaccess

The .htaccess file, which works only with Apache web servers [that are configured to follow .htaccess files], is set to block direct requests to the 'includes' directory.

For other web servers, and for extra security, the include_once.php file should be replaced with the following:

<?php
  if (strstr($include_file, '..'))
    $include_file = str_replace('..', '', $include_file);

  if (strstr($include_file, '@'))
    $include_file = str_replace('@', '', $include_file);

  if (strstr($include_file, ':'))
    $include_file = str_replace(':', '', $include_file);

  if (isset($include_file) &&
      defined('DIR_WS_INCLUDES') &&
     !defined($include_file . '__') &&
      file_exists($include_file) &&
     !isset($HTTP_GET_VARS['include_file']) &&
     !isset($HTTP_POST_VARS['include_file']) &&
     !isset($HTTP_COOKIE_VARS['include_file']) &&
     !isset($HTTP_SESSION_VARS['include_file']) &&
     !isset($HTTP_POST_FILES['include_file']) &&
     !isset($HTTP_ENV_VARS['include_file'])) {

    define($include_file . '__', 1);
    include($include_file);
  }
?>


Notes

This security issue does not affect versions after Preview Release 2.1; the current development version is osCommerce 2.2-CVS which removes the include_once.php file from usage. The next stable release, osCommerce 2.2, will be the first [non preview-release] stable release the project has made, which focuses on security, stability, compatibility, and performance issues.

Links

This security issue was forwarded to the Bugtraq security mailing list which can be read at:

https://msgs.securepoint.com/cgi-bin/get/bugtraq0206/141.html

A study of common PHP exploitations can be read at:

/

The osCommerce support site is located at:

https://www.oscommerce.com

 

You can further discuss it on our Forum