Jump to content

chluo

Members
  • Content count

    6
  • Joined

  • Last visited

  • Days Won

    1

chluo last won the day on August 20

chluo had the most liked content!

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. chluo

    Potencial XSS vulnerability

    Yes.
  2. chluo

    Potencial XSS vulnerability

    I would suggest adding XSS sanitizers in https://github.com/ruden/vanilla-oscommerce/blob/dev/catalog/includes/functions/database.php at line 42. That is: die('<font color="#000000"><strong>' . $errno . ' - ' . $error . '<br /><br />' . htmlspecialchars($query) ...).
  3. chluo

    Potencial XSS vulnerability

    OK. Please let me know if it has been fixed. Thanks
  4. chluo

    Potencial XSS vulnerability

    The attacker can be a common user, the two query functions I mentioned are in the include folder.
  5. chluo

    Potencial XSS vulnerability

    Yes, this also works. But wouldn't it be better to fix it in a newer version because many other users use this app not only me 😀.
  6. chluo

    Potencial XSS vulnerability

    I am using osCommerce2 and find one potential XSS vulnerability in its version 2.3.4.1: osCommerce implements function tep_db_query() to execute SQL statement. In case of MySQL error, the function tep_db_query() would call tep_db_error() to handle the mysql errors: $result = mysqli_query($$link, $query) or tep_db_error($query, mysqli_errno($$link), mysqli_error($$link)); The tep_db_error() function basically calls die() function to display the error back to users: die('<font color="#000000"><strong>' . $errno . ' - ' . $error . '<br /><br />' . $query . ' ...); The $query variable is sent by users and is well sanitized against SQL injection. However, it will also be used in the die() function (a sensitive XSS function like echo()) when Mysql returns errors. In multiple files (e.g., "/admin/modules.php") , the $query variable is not sanitized (against XSS) and can be exploited because of the die() function. I suggest adding XSS sanitizers in the tep_db_error() function to avoid this kind of attack.
×