schmidtmaster Posted January 19, 2004 Share Posted January 19, 2004 Hi, I am using OSC 2.2 MS2. No I saw that there are some bugs: http://www.securityfocus.com/bid/9238/info/ http://www.securityfocus.com/bid/9275/info/ http://www.securityfocus.com/bid/9277/info/ Under Solution i found the following: Solution: Vendor was contacted an plans on releasing a fix this week. Please see their website at http://www.oscommerce.com for any details about the fix. But I can't find the Solution for the Bugs. Can someone tell me how to fix the bugs? The other thing is: For this Problem: osCommerce is vulnerable to a XSS flaw. The flaw can be exploited when a malicious user passes a malformed session ID to URI. Below is an example of the flaw. https://path/?osCsid="><iframe src=http://www.gulftech.org></iframe> is the Solution: This is the response from the developer. To fix the issue, the $_sid parameter needs to be wrapped around tep_output_string() in the tep_href_link() function defined in includes/functions/html_output.php. Before: if (isset($_sid)) { $link .= $separator . $_sid; } After: if (isset($_sid)) { $link .= $separator . tep_output_string($_sid); } I have two shops one of them is not vulnerable to the XSS flaw (i don't no why maybe because of some contibutions i have insert) but the other is. I have tried the solution but it doesn't work on my shop. Can someone help me? Thanks Link to comment Share on other sites More sharing options...
♥stubbsy Posted January 19, 2004 Share Posted January 19, 2004 i'd be interested to hear some more about this. I found this detail on the gulftech site Details Here Link to comment Share on other sites More sharing options...
cgchris99 Posted January 19, 2004 Share Posted January 19, 2004 I too would like information on this. I posted a question regarding this security problem on MS1 and did not receive an answer. Link to comment Share on other sites More sharing options...
tomreis Posted January 20, 2004 Share Posted January 20, 2004 I need also some information about this. Link to comment Share on other sites More sharing options...
schmidtmaster Posted January 21, 2004 Author Share Posted January 21, 2004 Is there no one knowing anything about this. I think it is a important topic. Link to comment Share on other sites More sharing options...
cgchris99 Posted January 21, 2004 Share Posted January 21, 2004 For some strange reason, the Team is not giving an answer on this security problem. This cannot be good. Link to comment Share on other sites More sharing options...
Noobish-n-stuff Posted January 21, 2004 Share Posted January 21, 2004 from what i read, it appears that if you are running MS2 you are somewhat safe. you may receive a DOS but that is easily fixed and unless somebody has a work around for the "add slashes", you won't be subject to "arbitrary SQL queries". even so, this is still a security issue. (especially for MS1 users) would any of the team members like to comment on this one?? Link to comment Share on other sites More sharing options...
cgchris99 Posted January 21, 2004 Share Posted January 21, 2004 I am running MS1 and I bet there are a lot of stores still running MS1 Link to comment Share on other sites More sharing options...
oscom777 Posted January 21, 2004 Share Posted January 21, 2004 I would like an answer as well. I know the administrator for gulftech and have emailed him regarding this matter Link to comment Share on other sites More sharing options...
cgchris99 Posted January 29, 2004 Share Posted January 29, 2004 No new information on this? How about a post from the Development team. Anything, even if they say you have to upgrade to ms2. Just tell us something. The silence is leading me to believe there is a big problem and no one wants to admit it. There must be hundreds or even thousands of stores running ms1 Link to comment Share on other sites More sharing options...
Guest Posted January 29, 2004 Share Posted January 29, 2004 if you read further in the articles on security focus they do post what you need to check there, as well as what is necessary to fix the problem. i subscribe to that and have for years, and i came back to the site, performed a search and found the info. http://www.securityfocus.com/bid/9238/solution/ they do not post anything on security focus without describing the exploit and then the solution, so click to the right in there (i posted the actual page here) and you can see the solution Link to comment Share on other sites More sharing options...
Guest Posted January 29, 2004 Share Posted January 29, 2004 here is one of the searches, about MS1, http://www.oscommerce.com/forums/index.php?sho...=0entry274961 Link to comment Share on other sites More sharing options...
good_guys_flys Posted January 30, 2004 Share Posted January 30, 2004 From my testing 2.2 MS2 (07/13/03), that this http://www.securityfocus.com/bid/9238/solution/ vulnerability is only if you do not utilize cookies which stores the sid. Instead the sid is displayed in the URI and thus the exploit will work. With cookies enabled for SID I cannot reproduce this vulnerability. Link to comment Share on other sites More sharing options...
PrettyPink Posted January 30, 2004 Share Posted January 30, 2004 I found this security advisory concerning oscommerce. http://www.securityfocus.com/bid/7357/info/ What implications and solutions could this be having? Rgds PP Link to comment Share on other sites More sharing options...
oscbosser Posted January 30, 2004 Share Posted January 30, 2004 well I don't see the big problem about it. A user who is interested in buying something won't come to your site to play around with it. So what there is an item in your shoppingcart that cant be removed. If a user uses that type off injection he won't buy it in the first place. Unless I am wrong off course and that it is possible to do actual damage. Link to comment Share on other sites More sharing options...
good_guys_flys Posted January 30, 2004 Share Posted January 30, 2004 oscbosser - DO NOT worry about your customers or potential customers trying malicious activity. You need to worry about people who want to steal your informatin in your database or just hjack your site for fun. They could cause a DoS, or simply retreive your customer data if they manage to successfully exploit your osC install by running SQL query's against your site. This is done by playing with the URL. If the code is built to protect against this sort of disclosure then you have nothing to worry about. If you have not updated since MS2.1 I would suggest doing so, at least patch the thing. Ok, as far as this vuln discovered in April of 2003 I *think* it has been addressed in the MS2.2 release. I did some real quick testing and all I accomplished was redirecting my browser to my web root. That is all that happened. I will conduct more testing on this as time permits but so far it does not appear to be an issue with 2.2 MS2. Link to comment Share on other sites More sharing options...
Guest Posted January 31, 2004 Share Posted January 31, 2004 For anyone still looking... Weekly Summary Issue #33: December 16, 2003 - osCommerce 2.2 Milestone 1 SQL Injection Vulnerability Not sure if there are any additional holes in MS1... Link to comment Share on other sites More sharing options...
good_guys_flys Posted January 31, 2004 Share Posted January 31, 2004 If you read the workboard summary's it may help to answer alot of these questions. They went through a security audit back on workboard entry number 63 which was first discussed on workboard entry 59 you can find these here http://www.oscommerce.com/community/workboard this may help to answer some of the concerns. Workboard entry number 59 has a link posted at the bottom to a forum discussion about this, the issues seem to be closed in workboard entry 63 relative to the 2.2 MS2 release. Link to comment Share on other sites More sharing options...
good_guys_flys Posted February 4, 2004 Share Posted February 4, 2004 Ok, There is still a XSS vulnerability in 2.2 MS2 that I found. This may not be an issue for the development team as they are preparing for the MS3 release, however, it should concern the thousands who are using 2.2 MS2 Paste the following in your browser: http://yoursitename/path_to_catalog_direct...;;%3C/script%3E This exploits the header.php file. This is the same issue as addressed in the following bugtraq post back on: 03/20/03 found here: http://www.securityfocus.com/bid/7151/ Nice message in your header eh? And another vulnerability discovered back on 03/20/03 which was not resolved for the MS2 release. paste after index.php? info_message=%3Cscript%20language=javascript%3Ewindow.alert%28document.cookie%29;%3C/script%3E BugTraq Post: http://www.securityfocus.com/bid/7153/info/ Link to comment Share on other sites More sharing options...
paulm2003 Posted February 5, 2004 Share Posted February 5, 2004 Looks like a hoax, what kind of harm does it do to MS2? (Apart from showing a message.) You are talking about MS2, the site you are linking to only talkes about: published Mar 20, 2003updated Mar 20, 2003 vulnerable osCommerce osCommerce 2.1 osCommerce osCommerce 2.2 ms1 Link to comment Share on other sites More sharing options...
good_guys_flys Posted February 5, 2004 Share Posted February 5, 2004 its not a hoax if a custmer is tricked into clicking on such a link and their cookies are hijacked thus taking over the session. This does apply to MS2, I tested it. Link to comment Share on other sites More sharing options...
devosc Posted February 5, 2004 Share Posted February 5, 2004 good_guy, can you post more info about how to determine this, e.g. a sample url. "Any fool can know. The point is to understand." -- Albert Einstein Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.