Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

XSS vulnerability


voided

Recommended Posts

Posted
I am using milestone 2. The contributions installed are header tags, paypalipn, allprods, echo. However I am not using paypalipn and echo.

Do you think that since some contributions require a change in the html_output.php something else should be changed?

 

Thank you for checking this out.

 

I cannot reproduce the problem on MS1, MS2, nor on MS3-CVS, and will have to say that unless others confirm the problem, it is probably a contribution you have installed that needs to be updated.

 

You might want to apply the redirection update - as one has only been provided for MS3-CVS, I will soon post solutions for MS1 and MS2.

:heart:, osCommerce

Posted
I didn't have the tep_output_string().. so i had to put it in...

 

but the 2 other files session.php and session_compatible.php aren't compatible on this one.

MS1 does not contain the tep_output_string() function which was introduced in MS2.

 

For MS1 installations, htmlentities() can be used instead of tep_output_string(). However, and again, MS1 will remain in the risk zone as user input parsing was implemented in MS2.

 

The session.php and session_compatible.php classes were recently introduced in CVS and will be appearing in MS3. The updates made to these classes to redirect the user when a malformed session ID is in use, will soon be posted for MS1 and MS2.

:heart:, osCommerce

Posted
forgot to mention this:    i only seem to get it in the admin section... nowhere else

 

The updates presented are only for the Catalog frontend - if you don't trust your administrators using the Administration Tool, you have other problems to worry about :ph34r:

:heart:, osCommerce

Posted

Here is the tep_session_start() function replacement for MS1 and MS2 installations, that will redirect the user to the index page when a malformed session ID is in use.

 

The function is defined in includes/functions/sessions.php.

 

From:

 

function tep_session_start() {
 return session_start();
}

 

To:

 

function tep_session_start() {
 global $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_COOKIE_VARS;

 $sane_session_id = true;

 if (isset($HTTP_GET_VARS[tep_session_name()])) {
   if (preg_match('/^[a-zA-Z0-9]+$/', $HTTP_GET_VARS[tep_session_name()]) == false) {
     unset($HTTP_GET_VARS[tep_session_name()]);

     $sane_session_id = false;
   }
 } elseif (isset($HTTP_POST_VARS[tep_session_name()])) {
   if (preg_match('/^[a-zA-Z0-9]+$/', $HTTP_POST_VARS[tep_session_name()]) == false) {
     unset($HTTP_POST_VARS[tep_session_name()]);

     $sane_session_id = false;
   }
 } elseif (isset($HTTP_COOKIE_VARS[tep_session_name()])) {
   if (preg_match('/^[a-zA-Z0-9]+$/', $HTTP_COOKIE_VARS[tep_session_name()]) == false) {
     unset($HTTP_COOKIE_VARS[tep_session_name()]);

     $sane_session_id = false;
   }
 }

 if ($sane_session_id == false) {
   header('Location: ' . HTTP_SERVER . DIR_WS_CATALOG . FILENAME_DEFAULT);
 } else {
   session_start();
 }
}

 

MS2 installations should replace the header() line above to use osCommerce functions:

 

From:

 

    header('Location: ' . HTTP_SERVER . DIR_WS_CATALOG . FILENAME_DEFAULT);

 

To:

 

    tep_redirect(tep_href_link(FILENAME_DEFAULT, '', 'NONSSL', false));

 

MS1 could also use the tep_redirect() and tep_href_link() combination, however the files with these functions defined are included later in application_top.php and cannot be used earlier when the tep_session_start() function is called.

:heart:, osCommerce

Posted

I seem to get the htmlspecialchars error when PWA 6d is installed, as I installed a fresh installation then put the PWA in. So, it crashes when payment is made, when no account is used, when an account is used and authorize.net is chosen, then goes to https://secure.authorize.net/gateway/transact.dll and drops back to the PWA screen of login, create account or continue purchasing without creating account

if you want a test site where i have this, i can give it to you.

Posted

I used the fix for MS2, and the "PHP Warning: session_start(): The session id contains invalid characters, valid characters are only a-z, A-Z and 0-9 errors" stopped; however now it's:

 

PHP Warning: session_register(): The session id contains invalid characters, valid characters are only a-z, A-Z and 0-9

 

Is it okay to leave this as is?

 

Note: I haven't actually seen the session_start or session_register errors on my site, but they are logged in my CPanel error log.

 

They worry me.

Posted

caconline, I see that same warning messages that you see. I am running MS1 and don't know whether to be worried or not.

 

Not sure how to even fix the problem on MS1

 

Any other comments from the development team?

  • 1 year later...
Posted

So to clarify the fix for the most recent version of osCommerce 2.2 we should do both of the following fixes or am I confused?

 

Here is the tep_session_start() function replacement for MS1 and MS2 installations, that will redirect the user to the index page when a malformed session ID is in use.

 

The function is defined in includes/functions/sessions.php.

 

From:

 

function tep_session_start() {
?return session_start();
}

 

To:

 

function tep_session_start() {
?global $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_COOKIE_VARS;

?$sane_session_id = true;

?if (isset($HTTP_GET_VARS[tep_session_name()])) {
? ?if (preg_match('/^[a-zA-Z0-9]+$/', $HTTP_GET_VARS[tep_session_name()]) == false) {
? ? ?unset($HTTP_GET_VARS[tep_session_name()]);

? ? ?$sane_session_id = false;
? ?}
?} elseif (isset($HTTP_POST_VARS[tep_session_name()])) {
? ?if (preg_match('/^[a-zA-Z0-9]+$/', $HTTP_POST_VARS[tep_session_name()]) == false) {
? ? ?unset($HTTP_POST_VARS[tep_session_name()]);

? ? ?$sane_session_id = false;
? ?}
?} elseif (isset($HTTP_COOKIE_VARS[tep_session_name()])) {
? ?if (preg_match('/^[a-zA-Z0-9]+$/', $HTTP_COOKIE_VARS[tep_session_name()]) == false) {
? ? ?unset($HTTP_COOKIE_VARS[tep_session_name()]);

? ? ?$sane_session_id = false;
? ?}
?}

?if ($sane_session_id == false) {
? ?header('Location: ' . HTTP_SERVER . DIR_WS_CATALOG . FILENAME_DEFAULT);
?} else {
? ?session_start();
?}
}

 

MS2 installations should replace the header() line above to use osCommerce functions:

 

From:

 

 ? ?header('Location: ' . HTTP_SERVER . DIR_WS_CATALOG . FILENAME_DEFAULT);

 

To:

 

 ? ?tep_redirect(tep_href_link(FILENAME_DEFAULT, '', 'NONSSL', false));

 

MS1 could also use the tep_redirect() and tep_href_link() combination, however the files with these functions defined are included later in application_top.php and cannot be used earlier when the tep_session_start() function is called.

 

AND

 

To fix the issue, the $_sid parameter needs to be wrapped around

tep_output_string() in the tep_href_link() function defined in

includes/functions/html_output.php.

 

Before:

 

if (isset($_sid)) {

$link .= $separator . $_sid;

}

 

After:

 

if (isset($_sid)) {

$link .= $separator . tep_output_string($_sid);

}

 

 

OR SHOULD MY html_output.php be the following:

	} elseif (isset($_sid)) {
 $link .= $separator . tep_output_string($_sid);
   $seo_link .= $separator . tep_output_string($_sid);
   $seo_rewrite_link .= $separator . tep_output_string($_sid);
}

Most Valuable OsCommerce Contributions:

Also Purchased (AP) Preselection (cuts this resource hogging query down to nothing) -- Contribution 3294

FedEx Automated Labels -- Contribution 2244

RMA Returns system -- Contribution 1136

Sort Products By Dropdown -- Contribution 4312

Ultimate SEO URLs -- Contribution 2823

Credit Class & Gift Voucher -- Contribution 282

Cross-Sell -- Contribution 5347

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...