faaliyet

- Open the file catalog/download.php

#find:
$q = floor(tep_rand(1,26));

#replace with:
$q = floor(tep_rand(0,25));

osCommerce creates the hidden variable or/and overwrites value of on exist variable, when url has parameter.

For example:

http://demo.oscommerce.com/index.php?a=valuea&b=valueb&c=valuec&d=valued&e=valuee&f=valuef&g=valueg


And you will see there are hidden variables as "variable a" with "value valuea" and "variable b" with "value valueb" .... if you view the source code.

So an attacker can overwrite the values of HIDDEN(+other) variables with a simple link like:
http://demo.oscommerce.com/contact_us.php?action=send&name=faaliyet&email=demo@demo.com&enquiry=text%20text%20text

I think, it's not vulnerability assessment, but who know...

Dear osCommerce moderators;
I can not add the preg_match function correctly because forum says:


Errors found

You have posted a message with more emoticons than this community allows. Please reduce the number of emoticons you've added to the message

That sucks!
AND yes , i tried to post that as [code...
(Again bug, because i'm trying to post that in CODE tag)

So you can find preg_match at:
http://svn.php.net/viewvc/php/php-src/trunk/ext/filter/logical_filters.c?view=markup

and under the function :
void php_filter_validate_email(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */
of part:
const char regexp[] = ..................


- Open the file catalog/includes/functions/validations.php

Check for this:

  function tep_validate_email($email) {
	$email = trim($email);
 
	if ( strlen($email) > 255 ) {
	  $valid_address = false;
	} elseif ( function_exists('filter_var') && defined('FILTER_VALIDATE_EMAIL') ) {
	 $valid_address = (bool)filter_var($email, FILTER_VALIDATE_EMAIL);
	} else {
	  if ( substr_count( $email, '@' ) > 1 ) {
		$valid_address = false;
	  }

Here $valid_address can be true in the next step if it's true; Also the filter FILTER_VALIDATE_EMAIL should be after the if ( substr_count( $email, '@' ) > 1 ) {
because user can send mail with ' "myaddress@domain.com"@domain.com ' address.
Also the filter FILTER_VALIDATE_EMAIL does not work correctly in PHP5.2, so I added code to compare php version and that's jumping to preg_match function if php version is lower then 5.3.

	  if ( preg_match("/[a-z0-9!#$%&'*+\/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+\/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?/i", $email) ) {
		$valid_address = true;
	  } else {
		$valid_address = false;
	  }

Now here is the correct validation function.

  function tep_validate_email($email) {
	if(is_scalar($email) !== true)
	  return false;
 
	$email = trim($email);
	$valid_address = false;
 
	if ( strlen($email) > 255 ) {
	  return false;
 
	} else {
	  if ( substr_count( $email, '@' ) > 1 ) {
		//"email@domain.com"@domain.com: fix for lastest version of FILTER_VALIDATE_EMAIL
		return false; //return , becase $valid_address can be true in next check
	  }
	  if ( function_exists('filter_var') && defined('FILTER_VALIDATE_EMAIL') && version_compare(PHP_VERSION, '5.3', '>=' ) {
		$valid_address = (bool)filter_var($email, FILTER_VALIDATE_EMAIL);
		if ($valid_addres === false) return false;
	  } else {
		//https://bugs.php.net/bug.php?id=49576
		//lastest version of FILTER_VALIDATE_EMAIL
		//const char regexp[] =	http://svn.php.net/viewvc/php/php-src/trunk/ext/filter/logical_filters.c?view=markup
		if ( preg_match( , (string)$email) ) {
			$valid_address = true;
		} else {
			return false;
		}
	  }
	}
 
	if ($valid_address === true && ENTRY_EMAIL_ADDRESS_CHECK == 'true') {
	  $domain = explode('@', $email);
 
	  if ( !checkdnsrr($domain[1], "MX") && !checkdnsrr($domain[1], "A") ) {
		return false;
	  }
	}
 
	return $valid_address;
  }

- Open the file catalog/login.php

###Find:

// Check if email exists
    $check_customer_query = tep_db_query("select customers_id, customers_firstname, customers_password, customers_email_address, customers_default_address_id from " . TABLE_CUSTOMERS . " where customers_email_address = '" . tep_db_input($email_address) . "'");

###Add before:

   // begin: Dynamic Control
   $check_error = false;
   if ($email_address == '') {
	 $check_error = true;
	 $messageStack->add('login', ERROR_EMAIL_ADDRESS_REQUIRED);
   } elseif (!tep_validate_email($email_address)) {
	 $check_error = true;
	 $messageStack->add('login', ENTRY_EMAIL_ADDRESS_CHECK_ERROR);
   }
   if ($password == '') {
	 $check_error = true;
	 $messageStack->add('login', ERROR_PASSWORD_REQUIRED);
   }
   if ($check_error === false) {

 
   // end: Dynamic Control

###Find:

  }

  if ($error == true) {
    $messageStack->add('login', TEXT_LOGIN_ERROR);
  }

###Add before:

   // begin: Dynamic Control
    }
   // end: Dynamic Control

 

- Open the file catalog/includes/languages/login.php and add the new lines before the last ? >.

//begin Dynamic Control
define('ERROR_EMAIL_ADDRESS_REQUIRED', 'E-mail address required.');
define('ERROR_PASSWORD_REQUIRED', 'Password required.');
//end Dynamic Control

-Open the file account_newsletters.php


##Find:

    if (isset($HTTP_POST_VARS['newsletter_general']) && is_numeric($HTTP_POST_VARS['newsletter_general'])) {
	  $newsletter_general = tep_db_prepare_input($HTTP_POST_VARS['newsletter_general']);
    } else {
	  $newsletter_general = '0';
    }

###Replace with:

    $newsletter_general = (isset($HTTP_POST_VARS['newsletter_general']) && $HTTP_POST_VARS['newsletter_general'] == '1')  ? '1' : '0';

-Open the file catalog/account_notifications.php

###Find:

    if (isset($HTTP_POST_VARS['product_global']) && is_numeric($HTTP_POST_VARS['product_global'])) {
	  $product_global = tep_db_prepare_input($HTTP_POST_VARS['product_global']);
    } else {
	  $product_global = '0';
    }

###Replace with:

  $product_global = (isset($HTTP_POST_VARS['product_global']) && $HTTP_POST_VARS['product_global'] == '1') ? '1' : '0';