Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

defa

Archived
  • Posts

    5
  • Joined

  • Last visited

Profile Information

  • Real Name
    defa

defa's Achievements

  1. Well - I finally fixed it on my own - find the fixed contributions on the contributions site. http://www.oscommerce.com/community/contributions,1032 bye defa
  2. Thank you for your information. I did allready contact the authors but without any reaction yet. As this is an security related problem and allready has been abused to steal data, I thought it might be a good idea to post the necessary data here to fix the problem and proof the vulnerability. As any popular PHP-coded software is under heavy monitoring by loads of security interested people (the good and the bad) it might be a good idea to establish something like an security tracker or announce security threads on the mailing list. bye defa
  3. Here is a proof of concept - test this URI on an Shop-System with the module installed: http://www.vulnerable_shop.foo/path_to_shop/product_info.php?cPath=1&products_id=29'%20UNION%20ALL%20SELECT%20%20*%20FROM%20countries%20WHERE%20countries_id%3E'0 bye defa
  4. I don't want to annoy anybody - but two days ago I sent this E-Mail to the full.disclosure mailings list, to the developers of the software and to this forum - actually I can find an advice to patch or an patched release anywhere. Please regard that this flaw has been user to really hack an well-visited Online Shop an steal a lot of data from it. bye defa
  5. Hello! Doing forensics in an hacked shop system we found the following vulnerability in the "Additional Images" Module of OScommerce from "Author: zaenal <zaenal AT paramartha.org>. Find more detailed information here: http://www.oscommerce.com/community/contributions,1032 Description: If a anonymous remote user changes the value of 'products_id' when he gets "product_info.php" he is able to insert SQL Code in an SQL Query, if the module in question is installed. Impact: An attacker might read out parts or the whole of the database. Code: the following code on line 16 in SHOPROOT/catalog/includes/modules/additional_images.php doesn't check the value of the "products_id" variable. $images_product = tep_db_query("SELECT additional_images_id, products_id, images_description, medium_images, popup_images FROM " . TABLE_ADDITIONAL_IMAGES . " WHERE products_id = '" . $HTTP_GET_VARS['products_id'] . "'"); Solution: Contact the author/vendor. Workaround: Change line 16 in SHOPROOT/catalog/includes/modules/additional_images.php to: $images_product = tep_db_query("SELECT additional_images_id, products_id, images_description, medium_images, popup_images FROM " . TABLE_ADDITIONAL_IMAGES . " WHERE products_id = '" . (int)$HTTP_GET_VARS['products_id'] . "'"); thanks to the guy who found the log entry in question. bye defa
×
×
  • Create New...