Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

PCI fail on products_new.php for version 2.3.3.4


clubbby

Recommended Posts

First things first, I'm not actually taking payments directly on my online store at this time (using PayPal) so PCI compliance isn't vital to me, I was just working on making sure my site was secure. But I couldn't find any other posts in regards to this particular one so I thought I'd post it.

 

I used the PCI scanner from hackerguardian.com and it reported that it found a potential XSS vulnerability on products_new.php. I'll paste the import bits at the bottom of this post. If you need anything additional let me know and I would be happy to supply it.

 

My configuration (as of today) is Ubuntu 12.04 LTS, running NGINX 1.4.3, PHP (fpm) 5.5.5 (both I compiled) and MySQL 5.5.34 (stock from Ubuntu repo). My installation of osCommerce is pretty out of the box. About the only thing I've changed are some css files.

 

Anyway, here's the warning:

 

Description:

The remote web server hosts CGI scripts that fail to adequately

sanitize parameters name of malicious Javascript. By leveraging this

issue, an attacker may be able to cause arbitrary HTML and script code

to be executed in a user's browser within the security context of the

affected site.

 

Plugin output

 


Using the GET HTTP method, Nessus found that :

+ The following resources may be vulnerable to XSS (on parameters names) :

/products_new.php?%FF%FE%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%33%31

%33%29%3C%2F%73%63%72%69%70%74%3E=1

-------- request --------
GET /products_new.php?%FF%FE%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%33%31%33
%29%3C%2F%73%63%72%69%70%74%3E=1 HTTP/1.1
Host: <removed>
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Close
Cookie: osCsid=93kevob3dftigcb7pvhfcf5sr5
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
------------------------

-------- output --------
<td width="130" valign="top" class="main"><a href="http://<removed> [...]
<td valign="top" class="main"><a href="http://<removed>/pr [...]
<td align="right" valign="middle" class="smallText"><span class="tdbLink
"><a id="tdb4" href="http://<removed>/products_new.php?  <script
>alert(313)</script>=1&action=buy_now&products_id=21">Add to Car
t</a></span><script type="text/javascript">$("#tdb4").button({icons:{pri
mary:"ui-icon-cart"}})
.addClass("ui-priority-secondary").parent().remove
Class("tdbLink");</scrip
t></td>
</tr>
<tr>

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...