Guest Posted February 19, 2005 Share Posted February 19, 2005 I received this security alert this morning, but do not see a fix on the oscommerce.com web site, nor any mention in the forums here. Forgive me if I posted to the wrong place. Here are the details of the issue, as I received them: Platform: Web Application Title: osCommerce contact_us.php Cross-Site Scripting Description: osCommerce is reported vulnerable to a cross-site scripting issue. Attackers could leverage this towards theft of cookie-based authentication credentials. osCommerce version 2.2-MS2 is reported vulnerable. Ref: http://www.securityfocus.com/archive/1/390540 By following the link, you may view an example of the vulerability being exposed on your own web site. I fixed my installation by editing includes/functions/html_output.php At line 222 change: $field .= stripslashes($GLOBALS[$name]); to $field .= stripslashes(htmlspecialchars($GLOBALS[$name])); save and test. This eliminates the problem on my system. That field is populated on a POST method, the string was sent via the GET method, so there should be some kind of restriction that says the input can only come from the POST method, instead, the GET data is found and inserted. I don't know what this will break in other areas of the program, but I don't really think any of the input boxes should display html anyways. Correct me if there is a better way please. Silver. Link to comment Share on other sites More sharing options...
homewetbar Posted March 8, 2005 Share Posted March 8, 2005 I received this security alert this morning, but do not see a fix on the oscommerce.com web site, nor any mention in the forums here. Forgive me if I posted to the wrong place. Here are the details of the issue, as I received them: Platform: Web Application Title: osCommerce contact_us.php Cross-Site Scripting Description: osCommerce is reported vulnerable to a cross-site scripting issue. Attackers could leverage this towards theft of cookie-based authentication credentials. osCommerce version 2.2-MS2 is reported vulnerable. Ref: http://www.securityfocus.com/archive/1/390540 By following the link, you may view an example of the vulerability being exposed on your own web site. I fixed my installation by editing includes/functions/html_output.php At line 222 change: $field .= stripslashes($GLOBALS[$name]); to $field .= stripslashes(htmlspecialchars($GLOBALS[$name])); save and test. This eliminates the problem on my system. That field is populated on a POST method, the string was sent via the GET method, so there should be some kind of restriction that says the input can only come from the POST method, instead, the GET data is found and inserted. I don't know what this will break in other areas of the program, but I don't really think any of the input boxes should display html anyways. Correct me if there is a better way please. Silver. <{POST_SNAPBACK}> Does anyone know if this will cause any problems with the site? Does it fix the Cross-Site Scripting problem? Thanks! Most Valuable OsCommerce Contributions: Also Purchased (AP) Preselection (cuts this resource hogging query down to nothing) -- Contribution 3294 FedEx Automated Labels -- Contribution 2244 RMA Returns system -- Contribution 1136 Sort Products By Dropdown -- Contribution 4312 Ultimate SEO URLs -- Contribution 2823 Credit Class & Gift Voucher -- Contribution 282 Cross-Sell -- Contribution 5347 Link to comment Share on other sites More sharing options...
AfterDark Posted March 8, 2005 Share Posted March 8, 2005 Yesudo made a fix - check the contributions. Link to comment Share on other sites More sharing options...
homewetbar Posted March 8, 2005 Share Posted March 8, 2005 Yesudo made a fix - check the contributions. <{POST_SNAPBACK}> I cannot seem to find anything in the contributions. What is the contribution called? Thanks! Most Valuable OsCommerce Contributions: Also Purchased (AP) Preselection (cuts this resource hogging query down to nothing) -- Contribution 3294 FedEx Automated Labels -- Contribution 2244 RMA Returns system -- Contribution 1136 Sort Products By Dropdown -- Contribution 4312 Ultimate SEO URLs -- Contribution 2823 Credit Class & Gift Voucher -- Contribution 282 Cross-Sell -- Contribution 5347 Link to comment Share on other sites More sharing options...
♥yesudo Posted March 8, 2005 Share Posted March 8, 2005 http://www.oscommerce.com/community/contri...l/search,emmett Your online success is Paramount. Link to comment Share on other sites More sharing options...
homewetbar Posted March 9, 2005 Share Posted March 9, 2005 That fix causes my form not to work as I have the contact us choice contact form, can you suggest the fix for it or is none needed? Here is my contact_us.php ?php /* $Id: contact_us.php,v 1.42 2003/06/12 12:17:07 hpdl Exp $ Revised as Contact Us Choice v1.0 by Fritz Clapp +++ with these enhancements: ++++++++++++++++++++++++++++++++ - store address & phone from configuration is displayed - an optional link may be used to show a map to the store - additional text may be added under the store address & phone - choice of multiple email destinations (if configured) - name and email address of logged on customer is filled in - subject of sent email distinguishes customer from guest - preamble added to message with sender IP address - requires entry of name (>3 chars) if guest - checks that message body has some text - uses new button_send.gif if it exists, instead of continue +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ for more info, refer to the contribution announcement and support threads at www.oscommerce.com/forums +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ osCommerce, Open Source E-Commerce Solutions http://www.oscommerce.com Copyright (c) 2004 osCommerce Released under the GNU General Public License */ require('includes/application_top.php'); require(DIR_WS_LANGUAGES . $language . '/' . FILENAME_CONTACT_US); $error = false; if (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'send')) { $name = tep_db_prepare_input($HTTP_POST_VARS['name']); $email_address = tep_db_prepare_input($HTTP_POST_VARS['email']); $enquiry = tep_db_prepare_input($HTTP_POST_VARS['enquiry']); $sender_type = tep_db_prepare_input($HTTP_POST_VARS['sendertype']); if (strlen($name)<3) { $error = true; $messageStack->add('contact', ENTRY_NAME_CHECK_ERROR); } if (!tep_validate_email($email_address)) { $error = true; $messageStack->add('contact', ENTRY_EMAIL_ADDRESS_CHECK_ERROR); } if ($enquiry == '') { $error = true; $messageStack->add('contact', ENTRY_ENQUIRY_CHECK_ERROR); } if ($error == false) { // add IP address and preamble text to message body $enquiry = sprintf(EMAIL_PREAMBLE_TEXT, $sender_type) . " " . tep_get_ip_address() . "\n-----------------------\n" . $enquiry; // use list of contact addresses if configured if (defined('CONTACT_US_LIST') && (CONTACT_US_LIST !='')){ $send_to_array=explode("," ,CONTACT_US_LIST); preg_match('/\<[^>]+\>/', $send_to_array[$send_to], $send_email_array); $send_to_email= eregi_replace (">", "", $send_email_array[0]); $send_to_email= eregi_replace ("<", "", $send_to_email); // append sender type to subject line tep_mail(preg_replace('/\<[^*]*/', '', $send_to_array[$send_to]), $send_to_email, $sender_type . " " . EMAIL_SUBJECT, $enquiry, $name, $email_address); }else{ tep_mail(STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS, $sender_type . " " . EMAIL_SUBJECT, $enquiry, $name, $email_address); } tep_redirect(tep_href_link(FILENAME_CONTACT_US, 'action=success')); } } $breadcrumb->add(NAVBAR_TITLE, tep_href_link(FILENAME_CONTACT_US)); ?> <!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"> <html <?php echo HTML_PARAMS; ?>> <head> <meta http-equiv="Content-Type" content="text/html; charset=<?php echo CHARSET; ?>"> <title><?php echo TITLE; ?></title> <base href="<?php echo (($request_type == 'SSL') ? HTTPS_SERVER : HTTP_SERVER) . DIR_WS_CATALOG; ?>"> <link rel="stylesheet" type="text/css" href="stylesheet.css"> </head> <body marginwidth="0" marginheight="0" topmargin="0" bottommargin="0" leftmargin="0" rightmargin="0"> <!-- header //--> <?php require(DIR_WS_INCLUDES . 'header.php'); ?> <!-- header_eof //--> <!-- body //--> <table class="mainTable" width="100%" cellspacing="0" cellpadding="0"> <tr> <td class="mainTableLeft" width="<?php echo BOX_WIDTH; ?>" valign="top"><table border="0" width="<?php echo BOX_WIDTH; ?>" cellspacing="0" cellpadding="0"> <!-- left_navigation //--> <?php require(DIR_WS_INCLUDES . 'column_left.php'); ?> <!-- left_navigation_eof //--> </table></td> <!-- body_text //--> <td width="634" valign="top" class="prodTableRight"><?php echo tep_draw_form('contact_us', tep_href_link(FILENAME_CONTACT_US, 'action=send')); ?><center><table border="0" width="615" cellspacing="0" cellpadding="0"> <tr> <td><table border="0" width="100%" cellspacing="0" cellpadding="0"> <tr> <td class="pageHeading"><?php echo HEADING_TITLE; ?></td> <td class="pageHeading" align="right"><?php echo tep_image(DIR_WS_IMAGES . 'table_background_contact_us.gif', HEADING_TITLE, HEADING_IMAGE_WIDTH, HEADING_IMAGE_HEIGHT); ?></td> </tr> </table></td> </tr> <tr> <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td> </tr> <?php if ($messageStack->size('contact') > 0) { ?> <tr> <td><?php echo $messageStack->output('contact'); ?></td> </tr> <tr> <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td> </tr> <?php } if (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'success')) { ?> <tr> <td class="main" align="center"><?php echo tep_image(DIR_WS_IMAGES . 'table_background_man_on_board.gif', HEADING_TITLE,'0','0', 'align="left"') . TEXT_SUCCESS; ?></td> </tr> <tr> <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td> </tr> <tr> <td><table border="0" width="100%" cellspacing="1" cellpadding="2" class="infoBox"> <tr class="infoBoxContents"> <td><table border="0" width="100%" cellspacing="0" cellpadding="2"> <tr> <td width="10"><?php echo tep_draw_separator('pixel_trans.gif', '10', '1'); ?></td> <td align="right"><?php echo '<a href="' . tep_href_link(FILENAME_DEFAULT) . '">' . tep_image_button('button_continue.gif', IMAGE_BUTTON_CONTINUE) . '</a>'; ?></td> <td width="10"><?php echo tep_draw_separator('pixel_trans.gif', '10', '1'); ?></td> </tr> </table></td> </tr> </table></td> </tr> <?php } else { ?> <tr> <td class="fieldValue" colspan="2"><?php echo HEADING_SUB_TITLE; ?><br><br></td> </tr> <tr> <td><table border="0" cellspacing="1" cellpadding="4" class="infoBox" width="100%"><tr class="infoBoxContents"> <td class="main" valign="top" align="left" width="135"> <b>Mailing Address:</b><br> <?php echo nl2br(STORE_NAME_ADDRESS); if (!CONTACT_MAP_LINK == '') { echo '<br><br><a href="' . tep_href_link(FILENAME_REDIRECT, 'action=url&goto=' . urlencode(eregi_replace('http://','',CONTACT_MAP_LINK)), 'NONSSL', false, false) . "\" target=_blank>" . tep_image_button('button_map.gif', IMAGE_BUTTON_MAP) . '</a>'; } ?> <?php if (!CONTACT_US_ADDL_TEXT =='') { echo '<p align="' . ((CONTACT_US_ADDL_TEXT_ALIGN=='')?'center':CONTACT_US_ADDL_TEXT_ALIGN) . '">' . CONTACT_US_ADDL_TEXT . '</p>'; } ?> </td> <td align="right"> <table border="0" width="100%" cellspacing="1" cellpadding="2"> <tr> <td><table border="0" width="100%" cellspacing="0" cellpadding="2"> <?php if ((defined('CONTACT_US_LIST')) && (CONTACT_US_LIST !='')){ echo '<tr><td class="main">'. SEND_TO_TEXT . '</td></tr>' .'<tr><td class="main">'; if(SEND_TO_TYPE=='radio'){ foreach(explode("," ,CONTACT_US_LIST) as $k => $v) { if($k==0){ $checked=true; }else{ $checked=false; } echo tep_draw_radio_field('send_to', "$k", $checked) . " " . preg_replace('/\<[^*]*/', '', $v) ."<br>\n"; } }else{ foreach(explode("," ,CONTACT_US_LIST) as $k => $v) { $send_to_array[] = array('id' => $k, 'text' => preg_replace('/\<[^*]*/', '', $v)); } echo tep_draw_pull_down_menu('send_to', $send_to_array); } echo "\n</td></tr>\n"; } ?> <tr> <td class="main"><?php echo ENTRY_NAME; ?></td> </tr> <tr> <td class="main"><?php // prefill first+last name and email address if customer is logged in if (tep_session_is_registered('customer_id')) { $customer_query_raw = "select customers_firstname, customers_lastname, customers_email_address from " . TABLE_CUSTOMERS . " where customers_id='" . $customer_id . "'"; $customer_query = tep_db_query($customer_query_raw); $customer_array = tep_db_fetch_array($customer_query); echo tep_draw_input_field('name', $customer_array['customers_firstname'] . " " . $customer_array['customers_lastname'],'readonly'); echo "</td></tr><tr><td class=\"main\">" . ENTRY_EMAIL . "</td></tr><tr><td class=\"main\">"; echo tep_draw_input_field('email', $customer_array['customers_email_address'],'readonly'); } else { echo tep_draw_input_field('name'); echo "</td></tr><tr><td class=\"main\">" . ENTRY_EMAIL . "</td></tr><tr><td class=\"main\">"; echo tep_draw_input_field('email'); } ?></td> </tr> <tr> <td class="main"><?php echo ENTRY_ENQUIRY; ?></td> </tr> <tr> <td><?php echo tep_draw_textarea_field('enquiry', 'soft', 50, 15); ?></td> </tr> </table></td></tr></table></td> </tr> </table></td> </tr> <tr> <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td> </tr> <tr> <td><table border="0" width="100%" cellspacing="1" cellpadding="2" class="infoBox"> <tr class="infoBoxContents"> <td><table border="0" width="100%" cellspacing="0" cellpadding="2"> <tr> <td width="10"><?php echo tep_draw_separator('pixel_trans.gif', '10', '1'); ?></td> <td align="right"><?php // identify sender as customer or guest echo tep_draw_hidden_field('sendertype', tep_session_is_registered('customer_id') ? TEXT_CUSTOMER : TEXT_GUEST); echo tep_image_submit(file_exists(DIR_WS_LANGUAGES . $language . '/images/buttons/button_send.gif')?'button_send.gif':'button_continue.gif', IMAGE_BUTTON_SEND); ?></td> <td width="10"><?php echo tep_draw_separator('pixel_trans.gif', '10', '1'); ?></td> </tr> </table></td> </tr> </table></td> </tr> <?php } ?> </table></form></td> <!-- body_text_eof //--> </table></td> </tr> </table> <!-- body_eof //--> <!-- footer //--> <?php require(DIR_WS_INCLUDES . 'footer.php'); ?> <!-- footer_eof //--> <br> </body> </html> <?php require(DIR_WS_INCLUDES . 'application_bottom.php'); ?> Thanks!! Most Valuable OsCommerce Contributions: Also Purchased (AP) Preselection (cuts this resource hogging query down to nothing) -- Contribution 3294 FedEx Automated Labels -- Contribution 2244 RMA Returns system -- Contribution 1136 Sort Products By Dropdown -- Contribution 4312 Ultimate SEO URLs -- Contribution 2823 Credit Class & Gift Voucher -- Contribution 282 Cross-Sell -- Contribution 5347 Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.