Oscommerce 0day Sql Injection Vulnerability

[SecurityGeek]

Hello,

 

i would like to report a 0day vulnerability that works on the latest version of oscommerce 2.3.3.4

 

i don't want to disclose more information here on public before applying a fix

 

can you advice where i can send the security report ? i cannot find a free way to contact the support

 

Thanks

 

#Ahmed Aboul-Ela

[burt]

The vulnerability is confirmed.

 

I'd like to thank Ahmed Aboul-Ela @@SecurityGeek for bringing this to our attention prior to making it public.

 

Fix:

https://github.com/gburton/oscommerce2/commit/e4d90eccd7d9072ebe78da4c38fb048bfe31c902

[burt]

Guys, I think this serious enough to have updated over 40 shops this morning. Highly suggest that you make the same change as outlined in the link above, and do it NOW.

 

 

[greasemonkey]

done and done... Thank you @@burt@@SecurityGeek

[♥14steve14]

I have noticed that the same code is in both early and late versions of oscommerce, so I assume that most stores will need amending. Is this the case.

[burt]

ALL stores will need amending NOW

 

I fixed your quote ;)

 

 

[♥14steve14]

All done. Thanks for the heads up.

[mhsuffolk]

Done mine. Thanks @@burt and @@SecurityGeek

[MrPhil]

So, is there a preferred channel for reporting such things? I realize there is a lot of crap out there breathlessly reporting horrendous security exposures on decade-old osC versions, which you probably don't want to wade through.

[quetevendo]

So, is there a preferred channel for reporting such things? I realize there is a lot of crap out there breathlessly reporting horrendous security exposures on decade-old osC versions, which you probably don't want to wade through.

 

This Channel?

[quetevendo]

Already 18 repair shops. Thank you!

[burt]

So, is there a preferred channel for reporting such things? I realize there is a lot of crap out there breathlessly reporting horrendous security exposures on decade-old osC versions, which you probably don't want to wade through.

 

A message to @@Gergely or @burt would do it, but only for 2.3 shops onwards.

[burt]

If anyone would like to read more on this, please view this blog post from @@SecurityGeek

 

Anyone on Twitter might also like to follow https://twitter.com/_SecGeek

[Jack_mcs]

I'm curious as to what I am missing here? What makes this a serious problem? If the admin is password protected, this exploit can't be used, at least that I can see. If a hacker can get by the password protection, there would be much more serious problems. And, of course, if the admin was named something else, it would all but eliminate this possibility even if it worked without logging in. I'm not saying it shouldn't be fixed and it is good that it was reported. I'm just wondering what I am missing that seems to make this much of a threat.

[Taipo]

You are quite correct Jack. It will only affect those not employing htaccess on their admin directories where the admin directory is discoverable.

 

So its not going to be a ground breaking security issue as was the case with previous admin exploits.