is OsCommerce Secure?

[Guest]

Many php scripters have been warning me about using open source scripts. They checked the osCommerce script and found that it is vulnerable to SQL injections.

 

I am running 3 stores with osc, and I am now totally insecure? Did anyone else hear about this ?

 

~ Ilan.

 

here are some quotes of what one of them :unsure: told me:

 

doobi16: i could do anything

doobi16: drop tables

doobi16: etc

doobi16: Ill explain briefly.

 

doobi16:  tep_db_query("update " . TABLE_CUSTOMERS_INFO . " set customers_info_date_of_last_logon = now(), customers_info_number_of_logons = customers_info_number_of_logons+1 where customers_info_id = '" . (int)$customer_id . "'");

 

doobi16 :address_book_id = $check_customer

doobi16: that is being sent from the form

doobi16: $customer_id = $check_customer['customers_id'];

doobi16: u see

doobi16: now...

doobi16: what if i were to type: 'injection; $sql = drop table;

doobi16: in ur login field

doobi16: its a bit more complicated than that...

doobi16: theorectically...i could drop ur table.

doobi16: im stopping ur login query and putting my own query in

doobi16: look up sql injections

doobi16: and USE ADDSLASHES()!!!

doobi16: for every login field

doobi16: $customer_id = addslashes($check_customer['customers_id']);

doobi16: that actually needs to be done before u have done any queries

[Mark Evans]

osCommerce has been tested for SQL injection issues and all have been closed.

 

All content is parsed before input into the database.

 

if they know something we dont then get them to let us know and we will fix it.

[Guest]

ok. gotcha.

[Guest]

yeah i've been wondering about the security of osc too. are there any docs or articles on osc's security?

[Harald Ponce de Leon]

The following is available on the Wiki site:

 

http://wiki.oscommerce.com/proposalStripAndParse

http://wiki.oscommerce.com/apiClassesDatabase

 

Hope that helps!

[Guest]

Oh ok thank you Herald.

[verbal]

yeah i've been wondering about the security of osc too. are there any docs or articles on osc's security?

Hey there...

 

I've been wondering myself, ever since I saw the register_globals is used. PHP, SANS, and CERT have all advised against the use of this as it represents a major security hole...

 

are there plans to migrate away from the use of these variables or was something else done to mitigate the threat that these cause?

 

Thanks

 

Dave

[Mark Evans]

Register globals is only insecure if the programmer is lazy.

 

We have been checking all input from global variables for some time.

 

The catalog and install tool both work without register globals. THe admin tool will be fixed once the merge into the catalog has been completed.

[verbal]

Thanks for the response. I'm glad to hear that its already being tackled.

 

Dave

[Mad_D]

The catalog and install tool both work without register globals. THe admin tool will be fixed once the merge into the catalog has been completed.

I'm also installing osc on a win2k3 server (iis6) and am getting fatal errors because register globals is disabled. How can I get these tools to work without enabling register_globals? Are there any other threads that may have canvased this topic?

[smiley]

The strength & weakness of OSC & Open Source is that the code is available to everyone. Because of this, some "blackhats" search the code for weaknesses and exploit them. These instances are infrequent and when they happen the Open Source community moves quickly to secure the code once more.

 

This in turn makes Open Source a more secure code. When "blackhats" break into closed source shopping carts, their intrusion is not detected as quickly and certainly the remedies take much longer, as the company has to rely on their programmers and not a huge worldwide community.

 

I have 8 clients running OCS. We take security seriously and all have been operating without incident - some for years.