Security Risk reported by gambio.de may also appear to OSC 2.x

[mightyx 0]

Some days ago gambio.de reported a security hole in their shop software which also occurs in xt:commerce and other oscommerce based shop systems.

As I found out, the security hole may also appear in some versions of oscommerce. Here's a patch for those who want to be safe (besides that I strongly recommend securing the admin area with htaccess!).

 

In /catalog/admin/whos_online.php just after:

while ($whos_online = tep_db_fetch_array($whos_online_query)) {

 

add the following line of code:

   $whos_online['last_page_url'] = htmlentities($whos_online['last_page_url']);

 

Could please one of the developers check and confirm?

 

All credits go to gambio.de, great job guys!

[burt 3,742]

Could you please link to the full report.

[mightyx 0]

Yes, here it is: http://www.gambio.de/security-patch-dez2013-div.html

Unfortunately only in German. It says basically:

With the Security Patch published here, we close a security hole that we consider to be very critical. Attackers would be able to create an admin account, and gain control over the entire shop and all data.

[tgely 262]

@@burt

@@mightyx

 

The first v2.3.3.1 oscommerce release fix prevent the hack. Gambio's fix is very similar.

 

 

Parse REQUEST_URI with tep_db_prepare_input() before storing the value in the database. Replace REMOTE_ADDR with tep_get_ip_address().