6th Apr 2003 [SBWID-6109]
COMMAND
OsCommerce CVS Security Analysis
SYSTEMS AFFECTED
OsCommerce 2.2
PROBLEM
Thanks to Lorenzo Hernandez Garcia-Hierro [[email protected]]
[http://www.lorenzohgh.com] analysis :
Now i'm working on OsCommerce Security Analysis , and i encountered few
(little) security holesand notes , referring the Cross Site Scripting
and other things releated with the paths and the interactive scripts.
OsCommerce is very safe application, difficult to find security
problems and the risk ( very small in the most common ).
- THE PRODUCT LISTING AND CATEGORIES:
This a safe module (i think) because all the module's scripts (that i
know) doesn't make db connections ,the module only uses variables of
URL on PHP but the final listing requires a db connection tothe
oscommerce's database , the form to list prodicts is really easy:
- The user attempts to retreive the product list in a category .
- OsCommerce makes the query using: default.php?cPath=1&osCsid=000000000000000000000
- Path is the variable of the category.
- OsCommerce makes the required queries and show the product list output.
-PROBLEMS IN FIRST VIEW:
None but....
http://host/oscommerce_installation/default.php/cPath/[here comes your directory , use slashes and doble dots]
This URL is for show a list of products or other. This needs PHP with
Pear libraries.
With this you can go to a site link using the local referer in the
header of HTTP , this can be used for login into the system trough a
login system that checks the referer ( must be local) the referer can
be spoofed only the web navigator help!.
- DoS attack at product listing:
Normally this is not very important but if the buffer sended is very
large the server can be unstable ( mysql server and webserver)
This is the code for the little DoS attack:
product_info.php?products_id=[here comes your random content ,better large]
and this can be used with secondary variables in the URL...
&action=notify
- CONCLUSIONS:
OsCommerce is a SAFE e-Commerce System but , the human programming
always has errors!,
The development group of osCommerce is really good, possibly osCommerce
hasn�t important security risks excluding the detail of the
administration system , the admin. App. comes without access
protection!.
SOLUTION
You can protect your osCommerce admin installation , is easy , you must
only have a little PHP knowledge and a backup of your server files.
Content-Type: application/octet-stream; name="patch.zip"
Content-Transfer-Encoding: base6
Content-Disposition: attachment; filename="patch.zip
UEsDBBQAAAAIAFi7hi7WI95uFBEAAIpEAAAJAAAAcGF0Y2gudHh07Txrc9s4kp+tKv0HBOuKpYxt
Jdn9crYkl2PJiWttSyvKyeUSn4omYYs3EskhKduaGf/3624AfFOSvTuzd1XxTEUS0N1oNBr9AsF3
YXTAvnoLNl+EEfPNMBIsmjohszxbMMdlJrt1ZoJZ5mwmbDbz7hx335/60LX0FgGr17zwxJvPRWAJ
dmzPAcM3oyk7qNfwv/YRwNZrrRZ78+YNMyIziIC8YKEIQ8dz6zX1ZRJiV6N5GMN+NmeObQI3gfhl
IYC3yMPRkSX4RiyGTiT267Xt09PJOfJ1bEVAinXY9qfxeDgx+qPP/dHk8/HI+LYz/IQN56c71zCE
c8saThiKqFEC+Y+r/ujrxBiPzi4/7lw32evXMMQ6sFcdzpssz8l+p17jR3x/LXoJT8OBMVawi1AE
E9ecC2CnyX6r1xiNdG/OrqAHOzqrcA5TCEMzDB+8wK5A8FV3Cul2ZuMox4to6gXOryZOrMOvzno8
BgmE7QTCimjqxsKyYE073HFt8YiqUgF4aoJe2R0eq1QKLsQhJwYomCU6HNatfzJmVyDAy+OL/i4b
HhvGl8GoxyQKiq6KVfaqw/TSZMjC4jC+y5lSoDLccn4IkZ2OBhfMenRsMUHJhezLp/6oH/PY2Ykp
p5aJ7TO+w44ve/EMCC6/OAQmpzZfhr/MJqGYgdQm9k1jG7aEeWOGYgLtu2wb/m3m2OxIHNg0wbJR
4F7hMA+3ru2IhoQWQeAFjaaiFXgPkxgR9pOEuRWRNZ0Aj56VottUS6AIuYv5BNDDNATrsrdKbxmD
7b3Q4jBdm2mVY3MTyLM9ubXhf5PdowkgaIm6fXExSTQ+K9pDCaLNSSDuHDBlQYOncHhTQW2iMIrd
ZNTsDsjK6FsVtWs14hMTs1CsI8q5Bl8zmwxaZlrKhJi0CW3hOsJGE8ZuTRg/PauKfYvWM42cZUgp
QiAEIIeLWVRQhDKmAYQ2+eSWtjzxu7Wda4WBiUdFZSpMG3Svwc89i2Z5UMlyPH/x6ET09SnZOqt4
3YxTKascq1GwkJxuwudpmphiElg86oJ/nEbzGX0CnW47cqKZ6BISODrwc+RRgbmAaLdbEgDgW4QA
X248e4mfPoPdcgc6ZAkX5sK7r92b0D9st3zsvfWCOTMtqWXklJmwpl7eYx11OZsL0C2wy+gbOKO9
Jm00BycF7TIG4F2cTNt27vPjyrVo+10Y1I0gjph5QYf/5ZT+ODjtX4Hgew6rjbb9swhs0zV32XHg
mGDRPonZvYgcy9yF2MB0wz1YLeeWd9sgA8+9634RM8ubC63GICJg/8xlxhJWcN5uKbB2Cwfvytlr
fnTfC/iq1xLGWJovbVsONEdtx/UXkZJb7IU5i5Y+NETiMeIMxZh0dWNUzXQ8CT8vTc3lmsnk5lCv
rZmF9jwrZqHttJ5J8jueTdy0YkZ/0rKUzsNY3MydSE9A/0L29XdwKAvo+uitX5R2C3SfdiLurTU7
sN2ibQq7Vm73eu29ax+wpY67rUBgqGsyaTW8YKkD7hPPdQXtzZDtUvCL7lEj1msxJkXpDw6E3ip8
Bx7ciMLw07PzPgNjuE+xeByU/4WdAs4liUb1cmwdk3guvhr/OKffGCmC5oLFg5/bUy+MUJwYgIAh
5Po3uq5MdIKd8rcACZngsQhEO38Non9Tp9Yg3RlrFHbKNmnWfUvKpZHhB4KbNHn4mSaIQU9FzHNE
a/LXaHrA7jx2Y1o/U2xSvSzz+cQQwb0IDCtw/ChEcFqeeo3En0KQNHB5wmQ13h2wiwsUbO9DblUw
E2iAlRAu+aaZB/7FbvD5Deif497xZrNe+w39J3ppPzqZmgF4/E/SDYHIjql5T7UfMIwv5zcTB1XS
NWHWLmR2QIhyrS3pvhqslJr00wiChKWrUo4KnITJplHk70F25tx3dk6kvu2h8uyAFJT+dXbQ4pHa
AzFLku8onhB/4i0i2KGNJga9XeXWcLm30D8BYzR8U3pMSg4/LJyZzax4XzDv5n/gG/ZRXIc9yAXr
ANNSi5syvSrkPMTsdRYQZYspJywgSH2pN4aUhYfbEYThigd2sTR+mSXbs0g96TNo6Xaud3UmmebB
mQuQAXSyQt8n0O1yrJ7aaKVo6JMuKfUrQx3GOV5aqsPAo/DP808g8VfyoulqfaMfe92BL1zSHWgr
FaqkoMR6FiI8ynVLLqgmM4aUXpIiyWJ0nAy5102W98zG8FW3O0QPySFPwMAWmOg1PHwU0di8ge3H
m1vwV69lGIl7FScJK+uInnizcHBLyFWUAWQxdzVUiQJi86XK7J8xev9RWItIkMqWjJx0F+lAY7le
XJiPI0jcnskJTHLQ+3DSMy4rxat19Rzi2OcJ2Vj4vhdEISmnvQhIzrkBCjDPXkfAvIc8PkBrEJaM
kAd59gCfHfFQKR3qfAnPcraSbinHCuD5tM0ANBLcBehtSvIlY5QBFulj1wt0fCSiReCGI8rdwGuU
rEwGxCgrnY1GLxxdb6Hhyg02LFLBrmTMXfa2bK9poESCz992fxfLxPwwVqYCztwMlim4DQwQ+YMt
cAjIw6ui2YWeKcQ6EGuKR4wY0AFjscaKFhAZxfHRzZJpCw+BuarXYh8C12uuB/7aFQJCG6KZ9Q2f
aIC+pi8VOOWCTmZeKBqx95KBAlfBNWcSmsKs9+yAxT48FWRZM3CCeQ8u/dy9GbBtOd9D/VPHmHGD
jnPjhkVShpINOvCMGyLp5+PfaQ8np3e7cGVAU4gs8pEE+HwVNqD3B+bgo/cB87ztq7MeKtzwwY6d
5DYKX69hqswS9yjWsPQzjrmU7rUh6TOqHG3FGFogVGuH70TtKVHfBhOBuGtQctBpfPvvw+ufmocc
uCyZSSCiJtCvHgAAvr271kPEfPU+5LnSq4JIvQ9VPNk3aY7YKp4qqVewBMLPY8W1zg51VzG1gCw0
zdWmTKXJVzAFqpDHimuuHequYsp/eBlTafJZphRjsabLCFArqrI6ikomBNR5X5z2ZdUEVT4rEGAt
ywyVvIvJHw4el4T/mIEp+M0IKN6KjYJuyeLzERUY8RCtcACQRYhHSzPdzC6oGp4lfyBoMsgkBMha
sYIhi993AnNZG+wy1Rrw3M0DVqU6EebWNmFN5pAtmHciFpASKFOmQy8my4PjBFnzNwVTpMavXPRJ
WNnrhzDJmRNOU1UQbJdHKziD/dhOQPbIYBp0WkA5b36DHKoRSQNZVhjkQXi7PxoNRkZXfnbbvb5x
Mjobjs8Gl12imGUVeACfkwZqtxRmS1HizZQ0qs3wkzwrzW+OJEXSGySgeCfWGuWVQVt4e9w3xgzk
FS3CDuoOMIFNwPhBrKIFv3pYHFT51iTBKt8WmJJlmEh0HFHUniFaZQpK4Ap+hX+K+3Jb8q3sfaqw
KqmULvaBj/PZgCoNqGJcej95LBBrMGhaNIkk4qbbLJaRpJXe6pkR26O+cXU+Nvrjbvv0rH/eM6jI
oXVD5YnMDPC8+xbMr2vJKIpOUSmEMqypmJtYaIqxgDs8EqcS4o1goS8s59YBRHEvsFLoLe6wHCiW
RBiCLhbKbEnYeR7xUFNy1m3jAWZ3fPzhvD85OR4fnw8+tlvU1m5JCH5I42OVB/lmb+u1xq8i8PZQ
VnZzQ9rGyaf+xXE5aUW4Xnu3ITH8upLUeyXtPKmWWo72aPBFLgqpHarBibdwE/VITjbVWuv1Q7PT
2HY6bw8hcGRtlkLGlp9+ymp7bnwYttv+fHx+1W/lPjUzORTJDY1Bhk3zAzrqNA/LB2lJgu0Wjsbj
3VMuEBIEfMQay9MxhbJBCdZh6QZUaW3KtRfUT1Eq2xu5VaniqThsOu39s8fOF3vi3Gq1FaKDeoYN
0pd86LMEVcKg98gZK3W8Tx9xaMPPXHlmTs0HTHbL2uXWZhSyThA24Jkt3Aisijzd7HznvF7b30+c
vuth7VaFB/w7L/rNHCh450wrRQ2bO9MfFvf/tsXN0Hq/ltbJ4Pzq4rKc2FrkHshqMv46fAHqmTG5
vDo/x5k8H1kxbZz9Vxnyhm5G69R4iqdDYmaHTFol0KbbwJuz2ByAKh2wUwTZpcO5XXa5mM122d/F
EvKPnrg1yfz3H6PAJKoPUzwMbOAzKvmnd4LAXCYeg049JseGMThpvtBLtZLJ4GwM4ZsBHnjhIauc
Bx7h7rNTyjGYEx5QVwNb5ZC0nWXG2dh/0/z+vSE/mlgwgCl84zhpfq2yTYWkGAVXTWc9mUwTm5G+
bn6vm5/kh86Kyqgk4+VJcZ5Qied7sQQJshDTJhcWRacu/Gvf4GhUOSdT8gDGQMDCQhfAMn454ErQ
iBUPjOsaD0xWTnZTVqjZURhII5Z8fr1UAIFZCxEm7eHXaH11MMAP16KSUPTf81CJyZehkrhLUPPR
C/xb8oxPLjj7Y6Kbisp3/PVSFgKkA5E/IAtT3iMTEvwpwUn6PMg0IEkUc3DqwKA688mke1gDmMzN
O8eCEMGLRDi58y1w0WlPmxABRcSDaT+cmeEUoi6W7muytGzLop/qyCYhUxnegEgTKBXlUGlDqMqG
dtP02IQAtxTgqTz7z4tzJkseuB9husx3rJ9hdy58DADwCB/MQ59I+HhijTUS1vui6MvyCAD2Rpfs
3d77/9h7+35/RYRVNpNsmFUWZbF/Y4z1z0dY2+TRigmUdHTpXVqWQCXIZQkUPXuQdWuEkKMq54DA
eY9R5tn5YXmvfFgI1gO6wDYhub0utlXAf+dsbj5OIDe7i6aEF2Ml7dW4lNYVhsPGahywHxM0txIt
xtLNKxAXcxE4Vh5PtlajLdzQuYMoJYenm6sRMWC9dQqM6uZqRF+eZE1+FsusSFMdK9YDdMLxZ6KI
nu5ZNV8HdnIRO2mvxFXxYmY19TFRaZ5eFokqX/f0rAJGSegnH9xeUbxAnNev8SduQu0bNqxhJLEI
kBSmNVXxpxmybRAR63TZNj1e12StN+xhSrEgdR3BH3vTWr1Js9FDrhsP/igVM2f0iFFDjVQp5iw1
WRIuBUxFHBvJNLVO/7bYJPusQlWgcfSHRhpDcHsYDaWDDTxbHNCRZRI+/blxUPF5gUzEtikz46vR
pRGPpKvuVLYmFrL9pZyUPLWSK/LztnE1HA5GY2M4Gpz0e1ejfn6kAkDpUIWqf2GgbMln01CkPBb5
14Ui5dqdfZiorLCGpEsUJp2/l1QbSs3otn2D42RPCOybsLHiNKA695bPKTYU0WZ5XJXLtuMUbq+r
Z16VEhWj7BVG5Vn2pPgYyY/S5o/S5o/S5o/S5v/D0qZ81COMgsgD9RVBQxbIYEB+3aRK23B0xpv0
wMTLKqES7wW1UIn47GqoRIsZLqmI6o5CTVR2POkvsi5aTS9TG80RVXcXk3haS+GfqZCqJSivkSbi
ylZJNWP5Omn5em5YKV2LvKpWuhZ5VbV0LfL6eimRiLPIf3VusiqSeCKbWf60pbx08zd8WQDdthGu
Tc+UJbeiPH+p7wjr1xLQ3X/B4svlDPYRvogg8x4CE29N7gMQBMygcRTJHBRfRwB5QBQ4VsSO5dXX
sceG5h0YpI+B6UYUNwgXOJC9+q0DPoDIm92muoUr6N5v2OHsHV1UUl3y2ufV6Dx3xx3773AEOWwH
n2Ypvgah+I4Cw4DgQT63m7nVHL8UAFHoubHff2ev1iNnLxEjld9/T151sB6h04HUAFFAir4nb3zn
REJl72dwQI/g6uvJKRnBNn6nb/Y+Sdm8yoGkXozwS4j3mHDrHyUvCMgxGS/OLkI1mznE1+mXFkAI
FdDlqnXvlchcwd7szRLA1ky4m0DTJfoMQ/s0Q3oYboMXTMjZZOaOUyq07adFAeYkfRscVBxC5Hpt
gUzjG0IaaYaaqRvR+QvRmTFKr0L/L1BLAQIUABQAAAAIAFi7hi7WI95uFBEAAIpEAAAJAAAAAAAA
AAEAIAAAAAAAAABwYXRjaC50eHRQSwUGAAAAAAEAAQA3AAAAOxEAAAAA