chluo Posted August 20, 2021 Share Posted August 20, 2021 I am using osCommerce2 and find one potential XSS vulnerability in its version 18.104.22.168: osCommerce implements function tep_db_query() to execute SQL statement. In case of MySQL error, the function tep_db_query() would call tep_db_error() to handle the mysql errors: $result = mysqli_query($$link, $query) or tep_db_error($query, mysqli_errno($$link), mysqli_error($$link)); The tep_db_error() function basically calls die() function to display the error back to users: die('<font color="#000000"><strong>' . $errno . ' - ' . $error . '<br /><br />' . $query . ' ...); The $query variable is sent by users and is well sanitized against SQL injection. However, it will also be used in the die() function (a sensitive XSS function like echo()) when Mysql returns errors. In multiple files (e.g., "/admin/modules.php") , the $query variable is not sanitized (against XSS) and can be exploited because of the die() function. I suggest adding XSS sanitizers in the tep_db_error() function to avoid this kind of attack. Link to comment Share on other sites More sharing options...
This topic is now archived and is closed to further replies.