Jump to content
dev osCommerce
Forum
  • Checkout
  • Login
  • Contact Us
  • Get in touch

osCommerce

The e-commerce.

New Demo
Our Partners

Does this effect osCommerce

BearHappy

By BearHappy
in General Support

Recommended Posts

BearHappy

BearHappy

Posted
Posted

Below is an advisory posted on the Hardened PHP Project website. Does this vulnerability effect osCommerce code? Should this be something that we need to discuss with our hosting providers?

 

 

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

 

                        Hardened-PHP Project

                        www.hardened-php.net

 

                      -= Security  Advisory =-

 

 

    Advisory: PEAR XML_RPC Remote PHP Code Injection Vulnerability

Release Date: 2005/08/15

Last Modified: 2005/08/15

      Author: Stefan Esser [sesser@hardened-php.net]

 

  Application: PEAR XML_RPC <= 1.3.3

    Severity: A malformed XMLRPC request can result in execution

              of arbitrary injected PHP code

        Risk: Critical

Vendor Status: Vendor has released an updated version

  References: http://www.hardened-php.net/advisory_142005.66.html

 

 

Overview:

 

  PEAR XML_RPC is the PEAR-ified version of Useful Inc's XML-RPC

  for PHP, which is a PHP implementation of the XML-RPC protocol.

  It has support for HTTP transport, proxies and authentication.

 

  After Gulftech released their PHP code injection advisory in the

  end of June 2005 we sheduled the code for an audit from our side.

  Unfortunately we were able to find another vulnerability in the

  XML-RPC libraries that allows injection of arbitrary PHP code

  into eval() statements.

 

  Unlike the last vulnerability this is not caused by wrongly

  implemented escaping of the user input, but by an improper handling

  of XMLRPC requests and responses that are malformed in a certain

  way.

 

  To get rid of this and future eval() injection vulnerabilities, the

  Hardened-PHP Project has developed together with the maintainers

  of both libraries a fix that completely eliminates the use of

  eval() from the library.

 

 

Details:

 

  When the library parses XMLRPC requests/repsonses, it constructs

  a string of PHP code, that is later evaluated. This means any

  failure to properly handle the construction of this string can

  result in arbitrary execution of PHP code.

 

  In late June a problem was discovered, that certain XML tags where

  using single quotes around embedded user input and single quotes

  where not escaped. This allowed a typical injection attack. While

  all these escaping problems were believed to be fixed, I was able

  to find another problems, that allows injection of arbitrary code.

 

  This new injection vulnerability is cause by not properly handling

  the situation, when certain XML tags are nested in the parsed

  document, that were never meant to be nested at all. This can be

  easily exploited in a way, that user-input is placed outside of

  string delimiters within the evaluation string, which obviously

  results in arbitrary code execution.

 

  Therefore we have added a XML tag nesting verification into the

  code and additionally removed all call to eval(). Therefore the

  resulting patch eliminates the current and the possibility for

  future eval() holes. Additionally this means from the diff

  between a vulnerable and a not vulnerable version it is not

  possible to find the position of the flaw easily.

 

 

CVE Information:

 

  The Common Vulnerabilities and Exposures project (cve.mitre.org)

  has assigned the name CAN-2005-2498 to this vulnerability.

     

     

Proof of Concept:

 

  The Hardened-PHP Project is not going to release an exploit for

  this vulnerability to the public.

 

 

Disclosure Timeline:

 

  22. July  2005 - Contact with both library vendors established.

                    Issue is discussed and a patch that eliminates

      the use of eval() is developed, improved and

      tested.

  12. August 2005 - Affected applications are contacted and asked

                    for beta test of the patches.

  14. August 2005 - Vendors release bugfixed versions, after

                    information about this vulnerability leaked

      through one of the affected applications to

      the public.

  15. August 2005 - Public disclosure

 

 

Recommendation:

 

  We strongly recommend to upgrade to the vendor supplied new

  version, that completely eliminates all calls to eval().

     

      PEAR XML_RPC 1.4.0

      http://pear.php.net/get/XML_RPC-1.4.0.tgz

     

  You can also upgrade XML_RPC with the pear commandline client,

  but because this uses a XML_RPC connection to retrieve the data

  it is not recommended.

 

 

GPG-Key:

 

  http://www.hardened-php.net/hardened-php-signature-key.asc

 

  pub  1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key

  Key fingerprint = 066F A6D0 E57E 9936 9082  7E52 4439 14CC 0A86 4AA1

 

 

Copyright 2005 Stefan Esser / Hardened-PHP Project. All rights reserved.

 

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.0.6 (GNU/Linux)

Comment: For info see http://www.gnupg.org

 

iD8DBQFDAJF0RDkUzAqGSqERAku9AKCjcTZcuAAQfTaiDQcFVrBzSBQ5cwCdEJmO

5hlRikPiTLgdsdvYrukOS9s=

=/PFy

-----END PGP SIGNATURE-----

Link to comment
Share on other sites
Guest

Guest

Posted
Posted

I do not see how the xml tags could affect the php "constant" compatibility oscommerce uses or the newsletter settings through the admin (default core) regarding the eval function.

 

Now regarding contributions that's a different matter.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...