Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Potencial XSS vulnerability


chluo

Recommended Posts

I am using osCommerce2 and find one potential XSS vulnerability in its version 2.3.4.1:

osCommerce implements function tep_db_query() to execute SQL statement.  In case of MySQL error, the function tep_db_query() would call tep_db_error() to handle the mysql errors:

$result = mysqli_query($$link, $query) or tep_db_error($query, mysqli_errno($$link), mysqli_error($$link));

The tep_db_error() function basically calls die() function to display the error back to users: 

die('<font color="#000000"><strong>' . $errno . ' - ' . $error . '<br /><br />' . $query . ' ...);

The $query variable is sent by users and is well sanitized against SQL injection. However, it will also be used in the die() function (a sensitive XSS function like echo()) when Mysql returns errors. In multiple files (e.g.,  "/admin/modules.php") ,  the $query variable is not sanitized (against XSS) and can be exploited because of the die() function.

I suggest adding XSS sanitizers in the tep_db_error() function to avoid this kind of attack.

 

Link to comment
Share on other sites

If by "newer version" you mean the version of oscommerce, that might be the case with the new planned version. The current V2 version is no longer supported so such changes would not be made to it.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

16 minutes ago, bonbec said:

Excuse me for asking the question, but if the person already have an access to the admin, what's the use of doing an XSS inclusion?

The attacker can be a common user, the two query functions I mentioned are in the include folder.

 

 

Link to comment
Share on other sites

20 minutes ago, Jack_mcs said:

If by "newer version" you mean the version of oscommerce, that might be the case with the new planned version. The current V2 version is no longer supported so such changes would not be made to it.

OK. Please let me know if it has been fixed. Thanks

Link to comment
Share on other sites

die('<font color="#000000"><strong>' . $errno . ' - ' . $error . '<br /><br />' . htmlspecialchars($query) . '<br /><br /><small><font color="#ff0000">[TEP STOP]</font></small><br /><br /></strong></font>');

@chluo you mean like this?

Link to comment
Share on other sites

Just now, Hotclutch said:

die('<font color="#000000"><strong>' . $errno . ' - ' . $error . '<br /><br />' . htmlspecialchars($query) . '<br /><br /><small><font color="#ff0000">[TEP STOP]</font></small><br /><br /></strong></font>');

@chluo you mean like this?

Yes.

Link to comment
Share on other sites

1 hour ago, Hotclutch said:

I see the commits are for Vanilla osCommerce. If someone has a solution for regular osCommerce and the CE versions (which probably are the same) that would be useful.

The goal is, or should be, to hide the failure from the visitor. That's what my addon does. 

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

31 minutes ago, Jack_mcs said:

The goal is, or should be, to hide the failure from the visitor. That's what my addon does. 

The instructions for your addon say to :

1) - Upload the included osc_error_handler_db_handler.php file to
the root of your shop and then execure it by using a url like:

https://YOUR DOMAIN/osc_error_handler_db_handler.php

but there is no such file included, only osc_error_handler.php in the functions folder. Is that right?

Link to comment
Share on other sites

I guess it would be advisable to do both - fix the vulnerability and install the addon.

Would it still be possible for a hacker to exploit this vulnerability with the addon installed? i.e a hacker who knows osCommerce and who already knows the vulnerability exists.

Link to comment
Share on other sites

The addon doesn't stop attacks. It just prevents the message from displaying on the site. For a while a few years ago there was a common attempt where the hacker would enter an invalid command just so they could see the command. Once they had the format, they would put in valid data and try again. The shops code should handle such attacks but the older shops don't. But even in Phoenix, at least earlier versions, still displayed the error so that should be stopped regardless.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

10 hours ago, chluo said:

I suggest adding XSS sanitizers in the tep_db_error() function to avoid this kind of attack.

Requests are used preparation, in order to perform injection you need to have access to the code.

It does not affect anything.

Delete code die('<font color="#000000"><strong>' . $errno . ' - ' . $error . '<br /><br />' . $query . '<br /><br /><small><font color="#ff0000">[TEP STOP]</font></small><br /><br /></strong></font>');

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...