Jump to content

Archived

This topic is now archived and is closed to further replies.

vmn

Vulnerabilities in 2.3.4

Recommended Posts

i not see any related to the catalog.

 

i am infact surprised that a protected area is marked as Vulnerable.

 

Is like i give you my bankpas + pincode, and you go say to me: I can steel your money?

 

ha yes, shopping_cart very vulnerable:

 

open browser A (let's say IE)

 

add stuff to cart...

 

Open browser 2:

 

put url in browser 2:

localhost/osCommerce-234/product_info.php?products_id=1{4}3{3}6&action=remove_product

(we get message product is removed from cart)

 

 

Refresh IE ...... ohhhhhhhh: is it removed now?

No....

 

The exploit reporting is CRAP

Share this post


Link to post
Share on other sites

Thanks,

 

at least these were pointing to catalog:

- Remove any item from cart
localhost/osc/oscommerce-2.3.4/catalog/shopping_cart.php?products_id=[iD]&action=remove_product
- Add item to cart
localhost/osc/oscommerce-2.3.4/catalog/product_info.php?products_id=[iD]&action=add_product
- Remove address book entry
localhost/osc/oscommerce-2.3.4/catalog/address_book_process.php?delete=1

Share this post


Link to post
Share on other sites

Hi,

my security software discovered a couple of XSS vulnerabilities in 2.3.4. I guess wHiTeHaT mentioned one with the shopping_cart in his post above.

 

Here it is:

 

Below are the summarized results of our scan for cross-site scripting vulnerabilities on your site.

 
URL:http://www.domain.com/products_new.php?action=buy_now&products_id=50
Cross site scripting vulnerability found in args:action,products_id

URL:http://www.domain.com/shopping_cart.php?products_id=58&action=remove_product
Cross site scripting vulnerability found in args:action,products_id

 

How to fix all those issues or who can help as I am not a programmer?

Thanks!

Share this post


Link to post
Share on other sites

No known vulnerabilities up to today !! So a bit more info is needed

 

"Below are the summarized results of our scan for cross-site scripting vulnerabilities on your site."

 

args:action,products_id  never seen before what is that??

 

Regards

Joli


To improve is to change; to be perfect is to change often.

 

Share this post


Link to post
Share on other sites

Somehow i think these are just posted here to put osCommerce in the Google search results as vulnerable.

 

not funny. This is exactly what I am trying to avoid.  My impression was that Google has its own scanning device and does not rely on a third party input or questions on forums.... 

Anyway, do you know how to fix it? 

Share this post


Link to post
Share on other sites

@@Gigglery you need to provide more than "summarized results".  I also want to know the precise software/service used to scan your site and it's version number.


This is a signature that appears on all my posts.  
IF YOU MAKE A POST REQUESTING HELP...please state the exact version
of osCommerce that you are using. THANKS

 
Get the latest Responsive osCommerce CE (community edition) here

Share this post


Link to post
Share on other sites

No known vulnerabilities up to today !! So a bit more info is needed

 

"Below are the summarized results of our scan for cross-site scripting vulnerabilities on your site."

 

args:action,products_id  never seen before what is that??

 

Regards

Joli

I was told by a security guy that their software scans parts of the codes not the whole thing at ones and that is why sometimes it does not see affected files and produces an OK result..On other days the test fails. 

Share this post


Link to post
Share on other sites

@@Gigglery you need to provide more than "summarized results".  I also want to know the precise software/service used to scan your site and it's version number.

Summarized results is all I got. I use SiteLock. not sure about the version. I just checked the site again, they showed 12 more vulnerabilities. Will need to talk to them probably..

Share this post


Link to post
Share on other sites

Yes you will need to talk to them, summarized results is useless to you.


This is a signature that appears on all my posts.  
IF YOU MAKE A POST REQUESTING HELP...please state the exact version
of osCommerce that you are using. THANKS

 
Get the latest Responsive osCommerce CE (community edition) here

Share this post


Link to post
Share on other sites

Ran  a test oscommerce 2.3.4 with site lock few weeks ago only prob was an addon which was an easy quick fix (int)

 

Site lock was installed as part of the hosting package with a dashboard which allowed to see the exact files involved

 

Maybe if you check in your control panel you can access more detailed info!


To improve is to change; to be perfect is to change often.

 

Share this post


Link to post
Share on other sites

perhaps these forms missing the session tokens, not sure.

 

shopping_cart.php:

<?php echo tep_draw_form('cart_quantity', tep_href_link(FILENAME_SHOPPING_CART, 'action=update_product')); ?>

missing parameter true.  To see how this form rule should be build, check contact_us.php:

<?php echo tep_draw_form('contact_us', tep_href_link(FILENAME_CONTACT_US, 'action=send'), 'post', 'class="form-horizontal"', true); ?>

// Output a form
  function tep_draw_form($name, $action, $method = 'post', $parameters = '', $tokenize = false) {
    global $sessiontoken;

    $form = '<form name="' . tep_output_string($name) . '" action="' . tep_output_string($action) . '" method="' . tep_output_string($method) . '"';

    if (tep_not_null($parameters)) $form .= ' ' . $parameters;

    $form .= '>';

    if ( ($tokenize == true) && isset($sessiontoken) ) {
      $form .= '<input type="hidden" name="formid" value="' . tep_output_string($sessiontoken) . '" />';
    }

    return $form;
  }

I must admit i am not sure if these clear out the mentioned vulnerabilities.

Share this post


Link to post
Share on other sites

Ran  a test oscommerce 2.3.4 with site lock few weeks ago only prob was an addon which was an easy quick fix (int)

 

Site lock was installed as part of the hosting package with a dashboard which allowed to see the exact files involved

 

Maybe if you check in your control panel you can access more detailed info!

The files involved are products_new.php and shopping_cart.php. Can you see more info than just file names?

Share this post


Link to post
Share on other sites

@wHiTeHaT: my intention was/is to get more info about Oscommerce security. I did not find any earlier comments on these "vulnerabilities" I pointed out in the 2nd post.

Share this post


Link to post
Share on other sites

SiteLock refused to go into details and explain the issue. They said the summary report is all I get and that is what all their customers get. Unless I want to pay SiteLock consultant who would go and fix the problem without me ever knowing what was wrong. Great! I guess I am not interested in their services anymore.

@@wHiTeHaT: I have corrected it in shopping_cart.php. But someone told me that should not affect anything..

Share this post


Link to post
Share on other sites

×