Latest News: (loading..)
Issue information
-
#000310
-
5 - Critical
-
Fixed
-
3.0.1
-
3.0.2
Issue Confirmations
-
Yes (0)No (0)
1
osCommerce v3.0.1 is susceptible to reflected cross-site scripting (XSS) due to insufficient filtering of user-supplied input on the server side. Exploitation of this type of XSS involves crafting a request containing embedded JavaScript, or similar script code, which is reflected back to any user who makes the request.
The following parameter is vulnerable:
http://<IP>/index.php?Search=&Q=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E
A video of this issue being exploited to harvest username and passwords (and potentially credit card data) can be viewed here:
http://www.0x90.co.uk/2011/07/xss-harvest-in-action.html
Geoff
The following parameter is vulnerable:
http://<IP>/index.php?Search=&Q=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E
A video of this issue being exploited to harvest username and passwords (and potentially credit card data) can be viewed here:
http://www.0x90.co.uk/2011/07/xss-harvest-in-action.html
Geoff
nopslider, on 13 July 2011, 11:16, said:
osCommerce v3.0.1 is susceptible to reflected cross-site scripting (XSS) due to insufficient filtering of user-supplied input on the server side. Exploitation of this type of XSS involves crafting a request containing embedded JavaScript, or similar script code, which is reflected back to any user who makes the request.
The following parameter is vulnerable:
http://<IP>/index.php?Search=&Q=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E
A video of this issue being exploited to harvest username and passwords (and potentially credit card data) can be viewed here:
http://www.0x90.co.u...-in-action.html
Geoff
The following parameter is vulnerable:
http://<IP>/index.php?Search=&Q=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E
A video of this issue being exploited to harvest username and passwords (and potentially credit card data) can be viewed here:
http://www.0x90.co.u...-in-action.html
Geoff
Thanks Geoff!
Browser's users have to switch on Internet Exploler XSS filter to preventing attacks. It works for me :-). I hope the other browser families give similar options.
Use http://noscript.net for Firefox clones and so on.
Cheers
Gergely
Whilst it is true that modern browsers offer a degree of XSS protection, this is still a security issue with the application, and regression from previous versions of OSCommerce. Chrome and IE8/9 will protect against reflected XSS in a GET parameter, though there have been methods of bypassing such protection detailed in recent times (e.g. http://www.slideshare.net/kuza55/examining-the-ie8-xss-filter for one). NoScript again will help, but only a small percentage of FF users have this installed and configured appropriately.
htmlentities is the way forward for this...
htmlentities is the way forward for this...
Updating severity to: 5 - Critical
Updating status to: Fixed
Issue fixed in: 3.0.2
Hi Geoff..
Thanks for the report! This has been fixed with the following commit:
https://github.com/osCommerce/oscommerce/commit/53f7f715844144cd94f252d735a5bf9ff9defb4e
Updating status to: Fixed
Issue fixed in: 3.0.2
Hi Geoff..
Thanks for the report! This has been fixed with the following commit:
https://github.com/osCommerce/oscommerce/commit/53f7f715844144cd94f252d735a5bf9ff9defb4e
0 user(s) are reading this issue
0 members, 0 guests, 0 anonymous users
