Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Security issue with oscomerce 2.1


quicklyshop

Recommended Posts

I have received an order today at quicklyshop.com for 2 Arctic silvers at ?3.95 each, ?7.90 in total and paid with nochex. Buyer some how managed to skip the shipping and went to payment page. So to find out did he manage doing this i logged in with my test account and placed 2 arctic silvers to my basket and went to checkout but i could not skip the shipping section as this buyer did. So how this is happened and how can we prevented to happen again.

I can't type a trick like i can type.

Link to comment
Share on other sites

I have received an order today at quicklyshop.com for 2 Arctic silvers at ?3.95 each, ?7.90 in total  and paid with nochex. Buyer some how managed to skip the shipping and went to payment page. So to find out did he manage doing this i logged in with my test account and placed 2 arctic silvers to my basket and went to checkout but i could not skip the shipping section as this buyer did. So how this is happened and how can we prevented to happen again.

 

well, you either created your own loophole or your analysis of what happened is not totally correct. Suggest you review your SSL server logs, they can tell you.

Treasurer MFC

Link to comment
Share on other sites

Okey i didnt create my loophole . Seems like any customer who knows about the checkout procedure of oscommerce can alter the payment on checkout. All they have to the get the document source in html modify the form values and submit to checkout. So i assume this could be done with most of the shopping cart scripts in the market. So the best way is doing security check on every payment and order . Altough you could get your payment script to do this job for you when the payment received . Check the Payment ID, price of induvidual items in order and shipping charge against the database and if all correct script accepts the payment place the order if it doesnt it will fail the order

I can't type a trick like i can type.

Link to comment
Share on other sites

Okey  i didnt create my loophole . Seems like any customer who knows about the checkout procedure of oscommerce can alter the payment on checkout. All they have to the get the document source in html modify the form values and submit to checkout. So i assume this could be done with most of the  shopping cart scripts in the market. So the best way is doing security check on every payment and order . Altough you could get your payment script to do this job for you when the payment received . Check the Payment ID, price of induvidual items in order and shipping charge against the database and if all correct script accepts the payment place the order if it doesnt it will fail the order

 

Ok, if this is all it takes :

 

"All they have to the get the document source in html modify the form values and submit to checkout"

 

whatever that means, I suggest you try it out on my site and I will call you Sir forever.

Treasurer MFC

Link to comment
Share on other sites

ok, I don't use that but you were talking about bypassing the checkout_shipping

You can also bypass it by entering the checkout_confirmation.php URL in the address bar from shopping_cart.php and hitting enter.

Link to comment
Share on other sites

Okey  i didnt create my loophole . Seems like any customer who knows about the checkout procedure of oscommerce can alter the payment on checkout. All they have to the get the document source in html modify the form values and submit to checkout....

Could be a variable injection issue. Not sure. do you have register globals enabled ? If so, then that could be the loophole that is being used

 

Rich.

Link to comment
Share on other sites

I have received an order today at quicklyshop.com for 2 Arctic silvers at ?3.95 each, ?7.90 in total  and paid with nochex. Buyer some how managed to skip the shipping and went to payment page. So to find out did he manage doing this i logged in with my test account and placed 2 arctic silvers to my basket and went to checkout but i could not skip the shipping section as this buyer did. So how this is happened and how can we prevented to happen again.

I just noticed the reference to 2.1. Have you considered upgrading to 2.2?

Link to comment
Share on other sites

Okey i found the problem

http://secunia.com/advisories/10443/

 

The problem is that the "country" parameter isn't properly validated in various scripts including "create_account_process.php" and "account_edit_process.php". This can potentially be exploited to manipulate SQL queries.

 

Also the "products_id" isn't properly validated when a user adds an item to the shopping cart.

 

osCommerce 2.2ms1 has been reported vulnerable.

 

So solution using 2.2 ms2 but currently that is out of question for me.

I can't type a trick like i can type.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...