voided Posted December 17, 2003 Share Posted December 17, 2003 with the provided fix by the oscommerce crew (for 2.2-MS1) Solution: This is the response from the developer. To fix the issue, the $_sid parameter needs to be wrapped around tep_output_string() in the tep_href_link() function defined in includes/functions/html_output.php. Before: if (isset($_sid)) { $link .= $separator . $_sid; } After: if (isset($_sid)) { $link .= $separator . tep_output_string($_sid); } they forgot one more: "admin/includes/functions/sessions.php" ?function tep_session_id($sessid = '') { ? ?if ($sessid != '') { ? ? ?return session_id($sessid); ? ?} else { ? ? ?return session_id(); ? ?} to ?function tep_session_id($sessid = '') { ? ?if ($sessid != '') { ? ? ?return tep_output_string(session_id($sessid)); ? ?} else { ? ? ?return tep_output_string(session_id()); ? ?} which seemed to fix the problem for me... could you comment on this? thanks Designrfix.com | Graphic Design Inspiration & Web Design Resources - @designrfix Link to comment Share on other sites More sharing options...
Harald Ponce de Leon Posted December 17, 2003 Share Posted December 17, 2003 Here is the bug report for the cross site scripting issue: http://www.oscommerce.com/community/bugs,1546 Here is the CVS commit change: http://marc.theaimsgroup.com/?l=tep-commit...107167585807914 Here are the changes for 2.2-MS3-CVS that redirect the user to the index page when a malformed session ID is used: http://marc.theaimsgroup.com/?l=tep-commit...107167526906645 http://marc.theaimsgroup.com/?l=tep-commit...107167585807917 (The second commit is a fix on the first commit regarding the use of $HTTP_*_VARS variables in the session_compatible.php class) , osCommerce Link to comment Share on other sites More sharing options...
Guest Posted December 17, 2003 Share Posted December 17, 2003 It is still present after implementing the fix. Try it this way https://path/?osCsid=\"><if...</iframe> It seems to be only in the ssl mode. Link to comment Share on other sites More sharing options...
Harald Ponce de Leon Posted December 17, 2003 Share Posted December 17, 2003 I tried and get the following error message at the top and bottom of the page: Warning: session_start(): The session id contains invalid characters, valid characters are only a-z, A-Z and 0-9 in .... The extra HTML (the iframe part) does not get loaded anywhere. Is the extra HTML being executed on your setup? Or are you just getting the PHP warning message? , osCommerce Link to comment Share on other sites More sharing options...
Guest Posted December 18, 2003 Share Posted December 18, 2003 Hello Harald, It is being loaded on my setup at the bottom of the page. Before changing html_output.php it was loading scattered all over the page. I am still getting the standard security warning about loading both secure and unsecure elements. Link to comment Share on other sites More sharing options...
Harald Ponce de Leon Posted December 18, 2003 Share Posted December 18, 2003 What version of osCommerce are you using? Do you have any contributions installed? , osCommerce Link to comment Share on other sites More sharing options...
Guest Posted December 18, 2003 Share Posted December 18, 2003 I am using milestone 2. The contributions installed are header tags, paypalipn, allprods, echo. However I am not using paypalipn and echo. Do you think that since some contributions require a change in the html_output.php something else should be changed? Thank you for checking this out. Link to comment Share on other sites More sharing options...
voided Posted December 18, 2003 Author Share Posted December 18, 2003 stupid question but.. where does this get loaded anyway?... i mean... where does the code of the iframe actually go?.... (just want to know because i wouldn't want to get stuck with it :P ) Designrfix.com | Graphic Design Inspiration & Web Design Resources - @designrfix Link to comment Share on other sites More sharing options...
Guest Posted December 18, 2003 Share Posted December 18, 2003 I just compared my html_output to the original one and it is identical. Link to comment Share on other sites More sharing options...
Chad Posted December 18, 2003 Share Posted December 18, 2003 I don't think its been made clear.. or i'm blind. But does this fix need to be applied to both ms1 and ms2 stores? Link to comment Share on other sites More sharing options...
Guest Posted December 18, 2003 Share Posted December 18, 2003 It is not loading at all on your website voided. I just checked it, so if you are looking through logs and see it - it was just a test. It loads on the page at the bottom. Link to comment Share on other sites More sharing options...
voided Posted December 18, 2003 Author Share Posted December 18, 2003 michal : no way man... the first time i tried it with : https://path/?osCsid="><iframe src=http://www.gulftech.org></iframe> i got calls 2 seconds later asking me wtf was going on with the admin side of osc lol so i know for a fact that its not "local" but server wide. chad : all versions Designrfix.com | Graphic Design Inspiration & Web Design Resources - @designrfix Link to comment Share on other sites More sharing options...
voided Posted December 18, 2003 Author Share Posted December 18, 2003 this was the actual email from bugtraq Vendor : osCommerceURL : http://www.oscommerce.com Version : All Current Versions Risk : Cross Site Scripting Description: osCommerce is an online shop e-commerce solution under on going development by the open source community. Its feature packed out-of-the-box installation allows store owners to setup, run, and maintain their online stores with minimum effort and with absolutely no costs or license fees involved. Problem: osCommerce is vulnerable to a XSS flaw. The flaw can be exploited when a malicious user passes a malformed session ID to URI. Below is an example of the flaw. https://path/?osCsid="><iframe src=http://www.gulftech.org></iframe> This condition seems to affect only secure https connections, but was convirmed by the developers to affect regular http connections in the current CVS version of osCommerce. Solution: This is the response from the developer. To fix the issue, the $_sid parameter needs to be wrapped around tep_output_string() in the tep_href_link() function defined in includes/functions/html_output.php. Before: if (isset($_sid)) { $link .= $separator . $_sid; } After: if (isset($_sid)) { $link .= $separator . tep_output_string($_sid); } osCommerce 2.2 Milestone 3 will redirect the user to the index page when a malformed session ID is used, so that a new session ID can be generated. Credits: Credits go to JeiAr of the GulfTech Security Research Team. http://www.gulftech.org Designrfix.com | Graphic Design Inspiration & Web Design Resources - @designrfix Link to comment Share on other sites More sharing options...
Guest Posted December 18, 2003 Share Posted December 18, 2003 Voided did the fix do it for you? Link to comment Share on other sites More sharing options...
voided Posted December 18, 2003 Author Share Posted December 18, 2003 michal i'm not 100% sure not after looking at what hararld posted. i wish i could try again but i'd like to know a bit more about how this flaw actually works . Designrfix.com | Graphic Design Inspiration & Web Design Resources - @designrfix Link to comment Share on other sites More sharing options...
Guest Posted December 18, 2003 Share Posted December 18, 2003 That's a few lines of my html_output containing the code: Maybe I'm blind, but for me it seems ok. if ( (SEARCH_ENGINE_FRIENDLY_URLS == 'true') && ($search_engine_safe == true) ) { while (strstr($link, '&&')) $link = str_replace('&&', '&', $link); $link = str_replace('?', '/', $link); $link = str_replace('&', '/', $link); $link = str_replace('=', '/', $link); $separator = '?'; } if (isset($_sid)) { $link .= $separator . tep_output_string($_sid); } return $link; } //// // The HTML image wrapper function function tep_image($src, $alt = '', $width = '', $height = '', $parameters = '') { if ( (empty($src) || ($src == DIR_WS_IMAGES)) && (IMAGE_REQUIRED == 'false') ) { return false; } Link to comment Share on other sites More sharing options...
voided Posted December 18, 2003 Author Share Posted December 18, 2003 indeed yours looks ok . I didn't have the tep_output_string().. so i had to put it in... but the 2 other files session.php and session_compatible.php aren't compatible on this one. Designrfix.com | Graphic Design Inspiration & Web Design Resources - @designrfix Link to comment Share on other sites More sharing options...
Guest Posted December 18, 2003 Share Posted December 18, 2003 Yeah, I noticed that the two other files are not compatible. I just hope that this can be fixed. Link to comment Share on other sites More sharing options...
Chad Posted December 18, 2003 Share Posted December 18, 2003 ya ms1 don't have tep_output_string() function. So what now? Link to comment Share on other sites More sharing options...
voided Posted December 18, 2003 Author Share Posted December 18, 2003 chad... crap i just noticed that but why am i not getting any errors ?... shouldn't it say anything? like ... unknow function or class.. gah! nevermind i see it now :( Designrfix.com | Graphic Design Inspiration & Web Design Resources - @designrfix Link to comment Share on other sites More sharing options...
Chad Posted December 18, 2003 Share Posted December 18, 2003 and i'm not so sure that copying over tep_output_string() for ms2/cvsms3 will do much good. It would be nice if a team member could address this problem for specific versions. Some people run older stores and made lots of changes to their stores.. so upgrading isn't always an easy option. Link to comment Share on other sites More sharing options...
voided Posted December 18, 2003 Author Share Posted December 18, 2003 trust me i know what you'r talking about. i'm no way near restarting work on a newer version. Designrfix.com | Graphic Design Inspiration & Web Design Resources - @designrfix Link to comment Share on other sites More sharing options...
voided Posted December 18, 2003 Author Share Posted December 18, 2003 i've added the ?function tep_output_string($string, $translate = false, $protected = false) { ? ?if ($protected == true) { ? ? ?return htmlspecialchars($string); ? ?} else { ? ? ?if ($translate == false) { ? ? ? ?return tep_parse_input_field_data($string, array('"' => '"')); ? ? ?} else { ? ? ? ?return tep_parse_input_field_data($string, $translate); ? ? ?} ? ?} ?} code to the general.php and re added the tep_output_string to the $sid in html_output.php... so far so good, not sure if its effective though Designrfix.com | Graphic Design Inspiration & Web Design Resources - @designrfix Link to comment Share on other sites More sharing options...
Chad Posted December 18, 2003 Share Posted December 18, 2003 good to know voided. I'd still like an official response from the team :/ Link to comment Share on other sites More sharing options...
voided Posted December 18, 2003 Author Share Posted December 18, 2003 no its still hapening :/ Designrfix.com | Graphic Design Inspiration & Web Design Resources - @designrfix Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.