Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Vulnerabilities in 2.3.4


vmn

Recommended Posts

i not see any related to the catalog.

 

i am infact surprised that a protected area is marked as Vulnerable.

 

Is like i give you my bankpas + pincode, and you go say to me: I can steel your money?

 

ha yes, shopping_cart very vulnerable:

 

open browser A (let's say IE)

 

add stuff to cart...

 

Open browser 2:

 

put url in browser 2:

localhost/osCommerce-234/product_info.php?products_id=1{4}3{3}6&action=remove_product

(we get message product is removed from cart)

 

 

Refresh IE ...... ohhhhhhhh: is it removed now?

No....

 

The exploit reporting is CRAP

Link to comment
Share on other sites

Thanks,

 

at least these were pointing to catalog:

- Remove any item from cart
localhost/osc/oscommerce-2.3.4/catalog/shopping_cart.php?products_id=[iD]&action=remove_product
- Add item to cart
localhost/osc/oscommerce-2.3.4/catalog/product_info.php?products_id=[iD]&action=add_product
- Remove address book entry
localhost/osc/oscommerce-2.3.4/catalog/address_book_process.php?delete=1
Link to comment
Share on other sites

  • 2 weeks later...

Hi,

my security software discovered a couple of XSS vulnerabilities in 2.3.4. I guess wHiTeHaT mentioned one with the shopping_cart in his post above.

 

Here it is:

 

Below are the summarized results of our scan for cross-site scripting vulnerabilities on your site.

 
URL:http://www.domain.com/products_new.php?action=buy_now&products_id=50
Cross site scripting vulnerability found in args:action,products_id

URL:http://www.domain.com/shopping_cart.php?products_id=58&action=remove_product
Cross site scripting vulnerability found in args:action,products_id

 

How to fix all those issues or who can help as I am not a programmer?

Thanks!

Link to comment
Share on other sites

No known vulnerabilities up to today !! So a bit more info is needed

 

"Below are the summarized results of our scan for cross-site scripting vulnerabilities on your site."

 

args:action,products_id  never seen before what is that??

 

Regards

Joli

To improve is to change; to be perfect is to change often.

 

Link to comment
Share on other sites

Somehow i think these are just posted here to put osCommerce in the Google search results as vulnerable.

 

not funny. This is exactly what I am trying to avoid.  My impression was that Google has its own scanning device and does not rely on a third party input or questions on forums.... 

Anyway, do you know how to fix it? 

Link to comment
Share on other sites

No known vulnerabilities up to today !! So a bit more info is needed

 

"Below are the summarized results of our scan for cross-site scripting vulnerabilities on your site."

 

args:action,products_id  never seen before what is that??

 

Regards

Joli

I was told by a security guy that their software scans parts of the codes not the whole thing at ones and that is why sometimes it does not see affected files and produces an OK result..On other days the test fails. 

Link to comment
Share on other sites

@@Gigglery you need to provide more than "summarized results".  I also want to know the precise software/service used to scan your site and it's version number.

Summarized results is all I got. I use SiteLock. not sure about the version. I just checked the site again, they showed 12 more vulnerabilities. Will need to talk to them probably..

Link to comment
Share on other sites

Ran  a test oscommerce 2.3.4 with site lock few weeks ago only prob was an addon which was an easy quick fix (int)

 

Site lock was installed as part of the hosting package with a dashboard which allowed to see the exact files involved

 

Maybe if you check in your control panel you can access more detailed info!

To improve is to change; to be perfect is to change often.

 

Link to comment
Share on other sites

perhaps these forms missing the session tokens, not sure.

 

shopping_cart.php:

<?php echo tep_draw_form('cart_quantity', tep_href_link(FILENAME_SHOPPING_CART, 'action=update_product')); ?>

missing parameter true.  To see how this form rule should be build, check contact_us.php:

<?php echo tep_draw_form('contact_us', tep_href_link(FILENAME_CONTACT_US, 'action=send'), 'post', 'class="form-horizontal"', true); ?>

// Output a form
  function tep_draw_form($name, $action, $method = 'post', $parameters = '', $tokenize = false) {
    global $sessiontoken;

    $form = '<form name="' . tep_output_string($name) . '" action="' . tep_output_string($action) . '" method="' . tep_output_string($method) . '"';

    if (tep_not_null($parameters)) $form .= ' ' . $parameters;

    $form .= '>';

    if ( ($tokenize == true) && isset($sessiontoken) ) {
      $form .= '<input type="hidden" name="formid" value="' . tep_output_string($sessiontoken) . '" />';
    }

    return $form;
  }

I must admit i am not sure if these clear out the mentioned vulnerabilities.

Link to comment
Share on other sites

Ran  a test oscommerce 2.3.4 with site lock few weeks ago only prob was an addon which was an easy quick fix (int)

 

Site lock was installed as part of the hosting package with a dashboard which allowed to see the exact files involved

 

Maybe if you check in your control panel you can access more detailed info!

The files involved are products_new.php and shopping_cart.php. Can you see more info than just file names?
Link to comment
Share on other sites

SiteLock refused to go into details and explain the issue. They said the summary report is all I get and that is what all their customers get. Unless I want to pay SiteLock consultant who would go and fix the problem without me ever knowing what was wrong. Great! I guess I am not interested in their services anymore.

@@wHiTeHaT: I have corrected it in shopping_cart.php. But someone told me that should not affect anything..

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...