[IPS] osCommerce multiple XSS vulnerabilities

From: Daniel Alcántara de la Hoz (seguridad@iproyectos.com)
Date: 03/20/03

  • Next message: Michael Walton: "[Sorcerer-spells] LINUX-SORCERER2003-03-20" 
    From: Daniel Alcántara de la Hoz <seguridad@iproyectos.com>
To: <bugtraq@securityfocus.com>
Date: Thu, 20 Mar 2003 15:54:43 -0000

          iProyectos Security Advisory:
             XSS Bugs in osCommerce

       1. Problem description.
       2. Risk
       3. Solution
       4. Manual fix
       5. About iProyectos

       ------------------------------------

    1. Problem description:

    osCommerce is a widely installed open source shopping e-commerce solution.
    Some XSS (cross-site scripting) problems exists in versions of osCommerce
    prior to 3/14/2003 that allow an attacker to inject arbitrary HTML code
    into a web page.

    An attacker could guide the victim to a specially crafted url that, when
    followed, would send the cookie to the attacker.

    With the cookie of an user, an attacker would be able to hijack his
    account.

    iProyectos wont provide direct exploit this time due to the simplicity of
    the bug (exploitation is straightforward with XSS bugs). Here is a proof
    of concept on one of the four existent bugs.

    (implode the next three lines to form the url)
    http://vulnerable.host/default.php?error_message=%3Cscr
    ipt%20language=javascript%3Ewindow.alert%28document.coo
    kie%29;%3C/script%3E

    The full list of vulnerabilities is available in our website
    http://www.iproyectos.com/english.php that explains the four bugs.

    We contacted the vendor on 3/13/2003. They fixed 4 XSS bugs in 24 hours
    and committed the patches to CVS.

    We found this bugs in last milestone version and they probably have a long
    history. The online demonstration in the osCommerce website which is said
    to be 2.2ms1 version was modified, so be aware of trusting the milestone
    because of this. At 3/18/2003, the last milestone available (2.2ms1) is
    still vulnerable.

    Contrary to what can be understood by reading the vendor report, this is
    not a cvs version bug. Furthermore, we conducted a little survey and found
    this bug in 27 out of 30 osCommerce shops.

    2. Risk

    iProyectos has given this vulnerability medium risk, as long as some degree
    of social enginering is required.

    3. Solution

    To patch, update by CVS. Downloading the last milestone WON'T fix this.

    4. Manual Fix

    Many installations of osCommerce are severely modified to suit the needs
    of each shop, using just the core osCommerce engine. For these, direct
    patching won't be possible. If you are interested in a guide to fixing
    customized osCommerce installations please contact us at
    seguridad@iproyectos.com . We will publish a checklist guide to fix
    osCommerce if demand is high enough.

    5. About iProyectos
    iProyectos is a new IT company established in Spain which stress security
    research. We provide quality security auditing at reasonable prices.

    -
    Daniel Alcántara de la Hoz
    Director de Proyectos
    daniel.alcantara@iproyectos.com
    iProyectos Desarrollos Tecnológicos
    http://www.iproyectos.com/english.php

  • Next message: Michael Walton: "[Sorcerer-spells] LINUX-SORCERER2003-03-20"
    • Quantcast