[UNIX] XSS Bugs in osCommerce
From: support@securiteam.com
Date: 03/23/03
- Previous message: support@securiteam.com: "[UNIX] Mutt Controlled IMAP Server Buffer Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: 23 Mar 2003 17:27:54 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
In the US?
Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!
Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -
XSS Bugs in osCommerce
------------------------------------------------------------------------
SUMMARY
<http://www.oscommerce.com/> osCommerce is a widely installed open source
shopping e-commerce solution. Some XSS (cross-site scripting) problems
exist in versions of osCommerce prior to 3/14/2003 that allows an attacker
to inject arbitrary HTML code into a web page.
An attacker could guide the victim to a specially crafted URL that, when
followed, would send the cookie to the attacker.
With the cookie of a user, an attacker would be able to hijack his
account.
DETAILS
iProyectos will not provide direct exploit this time due to the simplicity
of the bug (exploitation is straightforward with XSS bugs). Here is a
proof of concept on one of the four existent bugs.
http://vulnerable.host/default.php?error_message=%3Cscript%20language=javascript%3Ewindow.alert%28document.cookie%29;%3C/script%3E
http://vulnerable.host/default.php?info_message=%3Cscript%20language=javascript%3Ewindow.alert%28document.cookie%29;%3C/script%3E
http://vulnerable.host/checkout_payment.php?payment_error=cc&error=%3Cscript%20language=javascript%3Ewindow.alert%28document.cookie%29;%3C/script%3E
Vendor status:
We contacted the vendor on 3/13/2003. The XSS bugs were fixed within 24
hours and patches were committed to CVS.
We found these bugs in last milestone version and they probably have a
long history. The online demonstration in the osCommerce website that is
said to be 2.2ms1 version was modified, so be aware of trusting the
milestone because of this. At 3/18/2003, the last milestone available
(2.2ms1) is still vulnerable.
Contrary to what can be understood by reading the vendor report, this is
not a CVS version bug. Furthermore, we conducted a little survey and found
this bug in 27 out of 30 osCommerce shops.
Solution:
To patch, update by CVS. Downloading the last milestone does not address
these issues.
Manual Fix:
Many installations of osCommerce are severely modified to suit the needs
of each shop, using just the core osCommerce engine. For these, direct
patching will not be possible. If you are interested in a guide to fixing
customized osCommerce installations please contact us at
seguridad@iproyectos.com . We will publish a checklist guide to fix
osCommerce if demand is high enough.
ADDITIONAL INFORMATION
The information has been provided by <mailto:seguridad@iproyectos.com>
Daniel Alcántara de la Hoz.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] Mutt Controlled IMAP Server Buffer Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
