TUCoPS :: Web :: e-commerce, shopping carts :: hack2582.htm

osCommerce Malformed Session ID XSS Vuln
osCommerce Malformed Session ID XSS Vuln 



Vendor  : osCommerce

URL     : http://www.oscommerce.com 

Version : All Current Versions

Risk    : Cross Site Scripting





Description:

osCommerce is an online shop e-commerce solution under on going 

development by the open source community. Its feature packed 

out-of-the-box installation allows store owners to setup, run, and 

maintain their online stores with minimum effort and with absolutely 

no costs or license fees involved.





Problem:

osCommerce is vulnerable to a XSS flaw. The flaw can be exploited when

a malicious user passes a malformed session ID to URI. Below is an

example of the flaw.



https://path/?osCsid="> 



This condition seems to affect only secure https connections, but was

convirmed by the developers to affect regular http connections in the

current CVS version of osCommerce.





Solution:

This is the response from the developer.



To fix the issue, the $_sid parameter needs to be wrapped around 

tep_output_string() in the tep_href_link() function defined in 

includes/functions/html_output.php.



Before:



if (isset($_sid)) {

$link .= $separator . $_sid;

}



After:



if (isset($_sid)) {

$link .= $separator . tep_output_string($_sid);

}



osCommerce 2.2 Milestone 3 will redirect the user to the index page when 

a malformed session ID is used, so that a new session ID can be generated.







Credits:

Credits go to JeiAr of the GulfTech Security Research Team.

http://www.gulftech.org

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH