Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Security --> VULNERABILITIES


schmidtmaster

Recommended Posts

Hi,

 

I am using OSC 2.2 MS2. No I saw that there are some bugs:

 

 

http://www.securityfocus.com/bid/9238/info/

 

http://www.securityfocus.com/bid/9275/info/

 

http://www.securityfocus.com/bid/9277/info/

 

 

Under Solution i found the following:

 

Solution:

Vendor was contacted an plans on releasing a fix this week. Please see their

website at http://www.oscommerce.com for any details about the fix.

 

 

But I can't find the Solution for the Bugs. Can someone tell me how to fix the bugs?

 

The other thing is:

 

For this Problem:

 

osCommerce is vulnerable to a XSS flaw. The flaw can be exploited when

a malicious user passes a malformed session ID to URI. Below is an

example of the flaw.

 

https://path/?osCsid="><iframe src=http://www.gulftech.org></iframe>

 

 

is the Solution:

 

This is the response from the developer.

 

To fix the issue, the $_sid parameter needs to be wrapped around

tep_output_string() in the tep_href_link() function defined in

includes/functions/html_output.php.

 

Before:

 

if (isset($_sid)) {

$link .= $separator . $_sid;

}

 

After:

 

if (isset($_sid)) {

$link .= $separator . tep_output_string($_sid);

}

 

 

 

I have two shops one of them is not vulnerable to the XSS flaw (i don't no why maybe because of some contibutions i have insert) but the other is. I have tried the solution but it doesn't work on my shop.

 

Can someone help me?

 

Thanks

Link to comment
Share on other sites

from what i read, it appears that if you are running MS2 you are somewhat safe. you may receive a DOS but that is easily fixed and unless somebody has a work around for the "add slashes", you won't be subject to "arbitrary SQL queries".

 

even so, this is still a security issue. (especially for MS1 users)

 

would any of the team members like to comment on this one??

Link to comment
Share on other sites

No new information on this?

How about a post from the Development team. Anything, even if they say you have to upgrade to ms2. Just tell us something.

 

The silence is leading me to believe there is a big problem and no one wants to admit it. There must be hundreds or even thousands of stores running ms1

Link to comment
Share on other sites

if you read further in the articles on security focus they do post what you need to check there, as well as what is necessary to fix the problem. i subscribe to that and have for years, and i came back to the site, performed a search and found the info.

 

http://www.securityfocus.com/bid/9238/solution/

 

they do not post anything on security focus without describing the exploit and then the solution, so click to the right in there (i posted the actual page here) and you can see the solution

Link to comment
Share on other sites

well I don't see the big problem about it. A user who is interested in buying something won't come to your site to play around with it. So what there is an item in your shoppingcart that cant be removed. If a user uses that type off injection he won't buy it in the first place.

 

Unless I am wrong off course and that it is possible to do actual damage.

Link to comment
Share on other sites

oscbosser - DO NOT worry about your customers or potential customers trying malicious activity. You need to worry about people who want to steal your informatin in your database or just hjack your site for fun. They could cause a DoS, or simply retreive your customer data if they manage to successfully exploit your osC install by running SQL query's against your site. This is done by playing with the URL. If the code is built to protect against this sort of disclosure then you have nothing to worry about. If you have not updated since MS2.1 I would suggest doing so, at least patch the thing.

 

Ok, as far as this vuln discovered in April of 2003 I *think* it has been addressed in the MS2.2 release. I did some real quick testing and all I accomplished was redirecting my browser to my web root. That is all that happened. I will conduct more testing on this as time permits but so far it does not appear to be an issue with 2.2 MS2.

Link to comment
Share on other sites

If you read the workboard summary's it may help to answer alot of these questions. They went through a security audit back on workboard entry number 63 which was first discussed on workboard entry 59 you can find these here http://www.oscommerce.com/community/workboard this may help to answer some of the concerns. Workboard entry number 59 has a link posted at the bottom to a forum discussion about this, the issues seem to be closed in workboard entry 63 relative to the 2.2 MS2 release.

Link to comment
Share on other sites

Ok, There is still a XSS vulnerability in 2.2 MS2 that I found. This may not be an issue for the development team as they are preparing for the MS3 release, however, it should concern the thousands who are using 2.2 MS2

 

Paste the following in your browser: http://yoursitename/path_to_catalog_direct...;;%3C/script%3E

 

This exploits the header.php file.

 

This is the same issue as addressed in the following bugtraq post back on: 03/20/03 found here: http://www.securityfocus.com/bid/7151/

 

Nice message in your header eh?

 

And another vulnerability discovered back on 03/20/03 which was not resolved for the MS2 release.

 

paste after index.php?

 

info_message=%3Cscript%20language=javascript%3Ewindow.alert%28document.cookie%29;%3C/script%3E

 

BugTraq Post: http://www.securityfocus.com/bid/7153/info/

Link to comment
Share on other sites

Looks like a hoax,

 

what kind of harm does it do to MS2? (Apart from showing a message.)

 

You are talking about MS2, the site you are linking to only talkes about:

published  Mar 20, 2003

updated  Mar 20, 2003

vulnerable  osCommerce osCommerce 2.1

osCommerce osCommerce 2.2 ms1

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...