Re: osCommerce flaw update
Lostmon lords
Today i receibe this email that inform some flaws in os commerce
The researcher "David Sopas Ferreira" send to me , and i thinc that it´s
a nice disccurss about os commerce , Oscomerce have multiple issues
and multiple 0days ---
wen i have time i return this research in Oscommerce again
Thnx David Sopas Ferreira for the information !!!
---------- Forwarded message ----------
From: SmOk3 <smok...@gmail.com>
Date: 2008/5/9
Subject: osCommerce flaw update
To: los...@gmail.com
osCommerce update advisory.
http://secunia.com/advisories/22275/
http://www.davidsopas.com/soapbox/oscommerce.txt
##########################
advisore
##########################
HTML Injection, XSS and Patch File disclosure
in osCommerce Online Merchant v2.2 RC2a/RC1 (mayber others)
by David Sopas Ferreira
<smok3f00 at gmail.com>
<www.davidsopas.com>
Found and reported at : 1-05-2008PT
Full disclosure at : 5-05-2008PT
?!---------------------------------------------------------
XSS and HTML Injection
----------------------!?
On this great opensource PHP program, I found some minor
flaws. I mean minor, because they need admin access to be
executed, but still they can be used to grab other admins
access or something like that.
The problem exists on the following files:
- manufacturers.php
- zones.php
- categories.php
- products_attributes.php
- administrators.php
A user could insert some HTML or Javascript malicious
code on the input text fields and that would be executed
when admin reads that webpage.
Also I found some XSS on these files:
- categories.php
- orders.php
Example: categories.php?cPath=1_4&pID=1%22%3E%3Cscript%3Ealert
(document.cookie)%3C/script%3E&action=new_product_preview
&read=only
categories.php?action=new_product_preview&read=only&pID=27
&origin=stats_products_viewed.php?page=1%22%3E%3Cscript%3E
alert(document.cookie)%3C/script%3E
orders.php?cID=2%22%3E%3Cscript%3Ealert(document.cookie)
%3C/script%3E
I found others but they were already found, and still to patch,
by Lostmon (los...@gmail.com) for the osCommerce 2.2
Milestone 2 version.
?!---------------------------------------------------------
File disclosure
---------------!?
The bug found by l0om (l0...@excluded.org) is still open.
After searching, with no success, for a patch, I coded
a temporary one.
Overwrite line 66 of file_manager.php, case "download"
<code>
case 'download':
$filename_filtered = $HTTP_GET_VARS['filename'];
if(ereg("\.\.", $filename_filtered))
{
$filename_filtered = '';
}
header('Content-type: application/x-octet-stream');
header('Content-disposition: attachment; filename=' .
urldecode($filename_filtered));
readfile($current_path . '/' . urldecode($filename_filtered));
exit;
break;
</code>
?!---------------------------------------------------------
Final words
-----------!?
Emailed this information to oscommerce.com and still didn't
get any reply. I didn't tested the version 3.0, but I bet
some of the XSS are still present. In my opinion that will
not fix older versions, they must be dedicating all the time
to 3.0 versions, but they need to know that oscommerce 2.2 rc2a
and rc1 are still being used for many stores.
Want to give credits to Lostmon and l0om for the findings,
that are still unpatched.
--
atentamente:
Lostmon (los...@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....