Jump to content
chluo

Potencial XSS vulnerability

Recommended Posts

I am using osCommerce2 and find one potential XSS vulnerability in its version 2.3.4.1:

osCommerce implements function tep_db_query() to execute SQL statement.  In case of MySQL error, the function tep_db_query() would call tep_db_error() to handle the mysql errors:

$result = mysqli_query($$link, $query) or tep_db_error($query, mysqli_errno($$link), mysqli_error($$link));

The tep_db_error() function basically calls die() function to display the error back to users: 

die('<font color="#000000"><strong>' . $errno . ' - ' . $error . '<br /><br />' . $query . ' ...);

The $query variable is sent by users and is well sanitized against SQL injection. However, it will also be used in the die() function (a sensitive XSS function like echo()) when Mysql returns errors. In multiple files (e.g.,  "/admin/modules.php") ,  the $query variable is not sanitized (against XSS) and can be exploited because of the die() function.

I suggest adding XSS sanitizers in the tep_db_error() function to avoid this kind of attack.

 

Share this post


Link to post
Share on other sites

Share this post


Link to post
Share on other sites
5 minutes ago, Jack_mcs said:

@chluoYou may want to install this addon to prevent errors from being displayed to the customers.

Yes, this also works. But wouldn't it be better to fix it in a newer version because many other users use this app not only me 😀.

Share this post


Link to post
Share on other sites

If by "newer version" you mean the version of oscommerce, that might be the case with the new planned version. The current V2 version is no longer supported so such changes would not be made to it.

Share this post


Link to post
Share on other sites
Posted (edited)

Excuse me for asking the question, but if the person already have an access to the admin, what's the use of doing an XSS inclusion?

Edited by bonbec

Live   : OsC 2.2, php 5.6 & UTF-8  |  Local : phoenix and oscommerce v4 test when v4 will be available

Share this post


Link to post
Share on other sites
16 minutes ago, bonbec said:

Excuse me for asking the question, but if the person already have an access to the admin, what's the use of doing an XSS inclusion?

The attacker can be a common user, the two query functions I mentioned are in the include folder.

 

 

Share this post


Link to post
Share on other sites
20 minutes ago, Jack_mcs said:

If by "newer version" you mean the version of oscommerce, that might be the case with the new planned version. The current V2 version is no longer supported so such changes would not be made to it.

OK. Please let me know if it has been fixed. Thanks

Share this post


Link to post
Share on other sites
Just now, Hotclutch said:

die('<font color="#000000"><strong>' . $errno . ' - ' . $error . '<br /><br />' . htmlspecialchars($query) . '<br /><br /><small><font color="#ff0000">[TEP STOP]</font></small><br /><br /></strong></font>');

@chluo you mean like this?

Yes.

Share this post


Link to post
Share on other sites
1 hour ago, Hotclutch said:

I see the commits are for Vanilla osCommerce. If someone has a solution for regular osCommerce and the CE versions (which probably are the same) that would be useful.

The goal is, or should be, to hide the failure from the visitor. That's what my addon does. 

Share this post


Link to post
Share on other sites
31 minutes ago, Jack_mcs said:

The goal is, or should be, to hide the failure from the visitor. That's what my addon does. 

The instructions for your addon say to :

1) - Upload the included osc_error_handler_db_handler.php file to
the root of your shop and then execure it by using a url like:

https://YOUR DOMAIN/osc_error_handler_db_handler.php

but there is no such file included, only osc_error_handler.php in the functions folder. Is that right?

Share this post


Link to post
Share on other sites

I guess it would be advisable to do both - fix the vulnerability and install the addon.

Would it still be possible for a hacker to exploit this vulnerability with the addon installed? i.e a hacker who knows osCommerce and who already knows the vulnerability exists.

Share this post


Link to post
Share on other sites

The addon doesn't stop attacks. It just prevents the message from displaying on the site. For a while a few years ago there was a common attempt where the hacker would enter an invalid command just so they could see the command. Once they had the format, they would put in valid data and try again. The shops code should handle such attacks but the older shops don't. But even in Phoenix, at least earlier versions, still displayed the error so that should be stopped regardless.

Share this post


Link to post
Share on other sites
10 hours ago, chluo said:

I suggest adding XSS sanitizers in the tep_db_error() function to avoid this kind of attack.

Requests are used preparation, in order to perform injection you need to have access to the code.

It does not affect anything.

Delete code die('<font color="#000000"><strong>' . $errno . ' - ' . $error . '<br /><br />' . $query . '<br /><br /><small><font color="#ff0000">[TEP STOP]</font></small><br /><br /></strong></font>');


Vanilla osCommerce this fork osCommerce v2.3.5

Download | Demo | Support

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×