[A fix for osCommerce should be available soon. Please upgrade -- Raju] This is an RFC 1153 digest. (1 message) ----------------------------------------------------------------------
Message-ID: <[EMAIL PROTECTED]> From: JeiAr <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: osCommerce Malformed Session ID XSS Vuln Date: 17 Dec 2003 17:59:15 -0000 Vendor : osCommerce URL : http://www.oscommerce.com Version : All Current Versions Risk : Cross Site Scripting Description: osCommerce is an online shop e-commerce solution under on going development by the open source community. Its feature packed out-of-the-box installation allows store owners to setup, run, and maintain their online stores with minimum effort and with absolutely no costs or license fees involved. Problem: osCommerce is vulnerable to a XSS flaw. The flaw can be exploited when a malicious user passes a malformed session ID to URI. Below is an example of the flaw. https://path/?osCsid=";><iframe src=http://www.gulftech.org></iframe> This condition seems to affect only secure https connections, but was convirmed by the developers to affect regular http connections in the current CVS version of osCommerce. Solution: This is the response from the developer. To fix the issue, the $_sid parameter needs to be wrapped around tep_output_string() in the tep_href_link() function defined in includes/functions/html_output.php. Before: if (isset($_sid)) { $link .= $separator . $_sid; } After: if (isset($_sid)) { $link .= $separator . tep_output_string($_sid); } osCommerce 2.2 Milestone 3 will redirect the user to the index page when a malformed session ID is used, so that a new session ID can be generated. Credits: Credits go to JeiAr of the GulfTech Security Research Team. http://www.gulftech.org ------------------------------ End of this Digest ****************** -- Raj Mathur [EMAIL PROTECTED] http://kandalaya.org/ GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F It is the mind that moves _______________________________________________ ilugd mailing list [EMAIL PROTECTED] http://frodo.hserus.net/mailman/listinfo/ilugd
