[IPS] osCommerce multiple XSS vulnerabilities

From: Daniel Alcántara de la Hoz (seguridadat_private)
Date: Thu Mar 20 2003 - 07:54:43 PST

Next message: OpenPKG: "[OpenPKG-SA-2003.025] OpenPKG Security Advisory (mutt)"

Previous message: Michael Walton: "[Sorcerer-spells] LINUX-SORCERER2003-03-20"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

      iProyectos Security Advisory:
         XSS Bugs in osCommerce

   1. Problem description.
   2. Risk
   3. Solution
   4. Manual fix
   5. About iProyectos

   ------------------------------------

1. Problem description:

osCommerce is a widely installed open source shopping e-commerce solution.
Some XSS (cross-site scripting) problems exists in versions of osCommerce
prior to 3/14/2003 that allow an attacker to inject arbitrary HTML code
into a web page.

An attacker could guide the victim to a specially crafted url that, when
followed, would send the cookie to the attacker.

With the cookie of an user, an attacker would be able to hijack his
account.

iProyectos wont provide direct exploit this time due to the simplicity of
the bug (exploitation is straightforward with XSS bugs). Here is a proof
of concept on one of the four existent bugs.

(implode the next three lines to form the url)
http://vulnerable.host/default.php?error_message=%3Cscr
ipt%20language=javascript%3Ewindow.alert%28document.coo
kie%29;%3C/script%3E

The full list of vulnerabilities is available in our website
http://www.iproyectos.com/english.php that explains the four bugs.

We contacted the vendor on 3/13/2003. They fixed 4 XSS bugs in 24 hours
and committed the patches to CVS.

We found this bugs in last milestone version and they probably have a long
history. The online demonstration in the osCommerce website which is said
to be 2.2ms1 version was modified, so be aware of trusting the milestone
because of this. At 3/18/2003, the last milestone available (2.2ms1) is
still vulnerable.

Contrary to what can be understood by reading the vendor report, this is
not a cvs version bug. Furthermore, we conducted a little survey and found
this bug in 27 out of 30 osCommerce shops.

2. Risk

iProyectos has given this vulnerability medium risk, as long as some degree
of social enginering is required.

3. Solution

To patch, update by CVS. Downloading the last milestone WON'T fix this.

4. Manual Fix

Many installations of osCommerce are severely modified to suit the needs
of each shop, using just the core osCommerce engine. For these, direct
patching won't be possible. If you are interested in a guide to fixing
customized osCommerce installations please contact us at
seguridadat_private . We will publish a checklist guide to fix
osCommerce if demand is high enough.

5. About iProyectos
iProyectos is a new IT company established in Spain which stress security
research. We provide quality security auditing at reasonable prices.

-
Daniel Alcántara de la Hoz
Director de Proyectos
daniel.alcantaraat_private
iProyectos Desarrollos Tecnológicos
http://www.iproyectos.com/english.php

Next message: OpenPKG: "[OpenPKG-SA-2003.025] OpenPKG Security Advisory (mutt)"
Previous message: Michael Walton: "[Sorcerer-spells] LINUX-SORCERER2003-03-20"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Mar 20 2003 - 09:03:32 PST