Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

XSS vulnerability


voided

Recommended Posts

with the provided fix by the oscommerce crew (for 2.2-MS1)

 

 

Solution:
This is the response from the developer.

To fix the issue, the $_sid parameter needs to be wrapped around 
tep_output_string() in the tep_href_link() function defined in 
includes/functions/html_output.php.

Before:

if (isset($_sid)) {
$link .= $separator . $_sid;
}

After:

if (isset($_sid)) {
$link .= $separator . tep_output_string($_sid);
}

 

 

they forgot one more:

 

"admin/includes/functions/sessions.php"

 ?function tep_session_id($sessid = '') {
? ?if ($sessid != '') {
? ? ?return session_id($sessid);
? ?} else {
? ? ?return session_id();
? ?}


to

?function tep_session_id($sessid = '') {
? ?if ($sessid != '') {
? ? ?return tep_output_string(session_id($sessid));
? ?} else {
? ? ?return tep_output_string(session_id());
? ?}

 

which seemed to fix the problem for me...

 

could you comment on this?

 

thanks

Designrfix.com | Graphic Design Inspiration & Web Design Resources - @designrfix
Link to comment
Share on other sites

Here is the bug report for the cross site scripting issue:

 

http://www.oscommerce.com/community/bugs,1546

 

Here is the CVS commit change:

 

http://marc.theaimsgroup.com/?l=tep-commit...107167585807914

 

Here are the changes for 2.2-MS3-CVS that redirect the user to the index page when a malformed session ID is used:

 

http://marc.theaimsgroup.com/?l=tep-commit...107167526906645

http://marc.theaimsgroup.com/?l=tep-commit...107167585807917

 

(The second commit is a fix on the first commit regarding the use of $HTTP_*_VARS variables in the session_compatible.php class)

:heart:, osCommerce

Link to comment
Share on other sites

I tried and get the following error message at the top and bottom of the page:

 

Warning: session_start(): The session id contains invalid characters, valid characters are only a-z, A-Z and 0-9 in ....

 

The extra HTML (the iframe part) does not get loaded anywhere.

 

Is the extra HTML being executed on your setup? Or are you just getting the PHP warning message?

:heart:, osCommerce

Link to comment
Share on other sites

Hello Harald,

 

It is being loaded on my setup at the bottom of the page. Before changing html_output.php it was loading scattered all over the page.

 

I am still getting the standard security warning about loading both secure and unsecure elements.

Link to comment
Share on other sites

I am using milestone 2. The contributions installed are header tags, paypalipn, allprods, echo. However I am not using paypalipn and echo.

Do you think that since some contributions require a change in the html_output.php something else should be changed?

 

Thank you for checking this out.

Link to comment
Share on other sites

It is not loading at all on your website voided. I just checked it, so if you are looking through logs and see it - it was just a test.

 

It loads on the page at the bottom.

Link to comment
Share on other sites

michal : no way man... the first time i tried it with : https://path/?osCsid="><iframe src=http://www.gulftech.org></iframe>

 

i got calls 2 seconds later asking me wtf was going on with the admin side of osc lol

 

so i know for a fact that its not "local" but server wide.

 

chad : all versions

Designrfix.com | Graphic Design Inspiration & Web Design Resources - @designrfix
Link to comment
Share on other sites

this was the actual email from bugtraq

 

Vendor  : osCommerce

URL    : http://www.oscommerce.com

Version : All Current Versions

Risk    : Cross Site Scripting

 

 

Description:

osCommerce is an online shop e-commerce solution under on going

development by the open source community. Its feature packed

out-of-the-box installation allows store owners to setup, run, and

maintain their online stores with minimum effort and with absolutely

no costs or license fees involved.

 

 

Problem:

osCommerce is vulnerable to a XSS flaw. The flaw can be exploited when

a malicious user passes a malformed session ID to URI. Below is an

example of the flaw.

 

https://path/?osCsid="><iframe src=http://www.gulftech.org></iframe>

 

This condition seems to affect only secure https connections, but was

convirmed by the developers to affect regular http connections in the

current CVS version of osCommerce.

 

 

Solution:

This is the response from the developer.

 

To fix the issue, the $_sid parameter needs to be wrapped around

tep_output_string() in the tep_href_link() function defined in

includes/functions/html_output.php.

 

Before:

 

if (isset($_sid)) {

$link .= $separator . $_sid;

}

 

After:

 

if (isset($_sid)) {

$link .= $separator . tep_output_string($_sid);

}

 

osCommerce 2.2 Milestone 3 will redirect the user to the index page when

a malformed session ID is used, so that a new session ID can be generated.

 

 

 

Credits:

Credits go to JeiAr of the GulfTech Security Research Team.

http://www.gulftech.org

Designrfix.com | Graphic Design Inspiration & Web Design Resources - @designrfix
Link to comment
Share on other sites

That's a few lines of my html_output containing the code:

Maybe I'm blind, but for me it seems ok.

 

if ( (SEARCH_ENGINE_FRIENDLY_URLS == 'true') && ($search_engine_safe == true) ) {
     while (strstr($link, '&&')) $link = str_replace('&&', '&', $link);

     $link = str_replace('?', '/', $link);
     $link = str_replace('&', '/', $link);
     $link = str_replace('=', '/', $link);

     $separator = '?';
   }

   if (isset($_sid)) {
     $link .= $separator . tep_output_string($_sid);
   }

   return $link;
 }

////
// The HTML image wrapper function
 function tep_image($src, $alt = '', $width = '', $height = '', $parameters = '') {
   if ( (empty($src) || ($src == DIR_WS_IMAGES)) && (IMAGE_REQUIRED == 'false') ) {
     return false;
   }

Link to comment
Share on other sites

and i'm not so sure that copying over tep_output_string() for ms2/cvsms3 will do much good. It would be nice if a team member could address this problem for specific versions.

 

Some people run older stores and made lots of changes to their stores.. so upgrading isn't always an easy option.

Link to comment
Share on other sites

i've added the

 

 ?function tep_output_string($string, $translate = false, $protected = false) {
? ?if ($protected == true) {
? ? ?return htmlspecialchars($string);
? ?} else {
? ? ?if ($translate == false) {
? ? ? ?return tep_parse_input_field_data($string, array('"' => '"'));
? ? ?} else {
? ? ? ?return tep_parse_input_field_data($string, $translate);
? ? ?}
? ?}
?}

 

code to the general.php and re added the tep_output_string to the $sid in html_output.php... so far so good, not sure if its effective though

Designrfix.com | Graphic Design Inspiration & Web Design Resources - @designrfix
Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...