Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: e-commerce, shopping carts :: a6109.htm

OsCommerce CVS Security Analysis



6th Apr 2003 [SBWID-6109]
COMMAND

	OsCommerce CVS Security Analysis

SYSTEMS AFFECTED

	OsCommerce 2.2

PROBLEM

	Thanks  to  Lorenzo  Hernandez  Garcia-Hierro  [security@lorenzohgh.com]
	[http://www.lorenzohgh.com] analysis :
	
	Now i'm working on OsCommerce Security Analysis , and i encountered  few
	(little) security holesand notes , referring the  Cross  Site  Scripting
	and other things releated with the paths and  the  interactive  scripts.
	OsCommerce  is  very  safe  application,  difficult  to  find   security
	problems and the risk ( very small in the most common ).
	
	
	 - THE PRODUCT LISTING AND CATEGORIES:
	
	This a safe module (i think) because all the module's  scripts  (that  i
	know) doesn't make db connections ,the module  only  uses  variables  of
	URL on PHP  but  the  final  listing  requires  a  db  connection  tothe
	oscommerce's database , the form to list prodicts is really easy:
	
	    - The user attempts to retreive the product list in a category .
	    - OsCommerce makes the query using: default.php?cPath=1&osCsid=000000000000000000000
	    - Path is the variable of the category.
	    - OsCommerce makes the required queries and show the product list output.
	
	
	 -PROBLEMS IN FIRST VIEW:
	
	    None but....
	 
	http://host/oscommerce_installation/default.php/cPath/[here comes your directory , use slashes and doble dots]
	
	This URL is for show a list of products or other. This  needs  PHP  with
	Pear libraries.
	
	With this you can go to a site link  using  the  local  referer  in  the
	header of HTTP , this can be used for login into  the  system  trough  a
	login system that checks the referer ( must be local)  the  referer  can
	be spoofed only the web navigator help!.
	
	   - DoS attack at product listing:
	
	Normally this is not very important but if the  buffer  sended  is  very
	large the server can be unstable ( mysql server and webserver)
	
	This is the code for the little DoS attack:
	 
	 product_info.php?products_id=[here comes your random content ,better large]
	
	and this can be used with secondary variables in the URL...
	 
	      &action=notify
	
	
	 - CONCLUSIONS:
	
	OsCommerce is a SAFE e-Commerce  System  but  ,  the  human  programming
	always has errors!,
	
	The development group of osCommerce is really good, possibly  osCommerce
	hasnít  important  security  risks   excluding   the   detail   of   the
	administration  system  ,  the  admin.   App.   comes   without   access
	protection!.

SOLUTION

	You can protect your osCommerce admin installation , is easy , you  must
	only have a little PHP knowledge and a backup of your server files.
	 
	Content-Type: application/octet-stream; name="patch.zip"
	Content-Transfer-Encoding: base6
	Content-Disposition: attachment; filename="patch.zip
	
	UEsDBBQAAAAIAFi7hi7WI95uFBEAAIpEAAAJAAAAcGF0Y2gudHh07Txrc9s4kp+tKv0HBOuKpYxt
	Jdn9crYkl2PJiWttSyvKyeUSn4omYYs3EskhKduaGf/3624AfFOSvTuzd1XxTEUS0N1oNBr9AsF3
	YXTAvnoLNl+EEfPNMBIsmjohszxbMMdlJrt1ZoJZ5mwmbDbz7hx335/60LX0FgGr17zwxJvPRWAJ
	dmzPAcM3oyk7qNfwv/YRwNZrrRZ78+YNMyIziIC8YKEIQ8dz6zX1ZRJiV6N5GMN+NmeObQI3gfhl
	IYC3yMPRkSX4RiyGTiT267Xt09PJOfJ1bEVAinXY9qfxeDgx+qPP/dHk8/HI+LYz/IQN56c71zCE
	c8saThiKqFEC+Y+r/ujrxBiPzi4/7lw32evXMMQ6sFcdzpssz8l+p17jR3x/LXoJT8OBMVawi1AE
	E9ecC2CnyX6r1xiNdG/OrqAHOzqrcA5TCEMzDB+8wK5A8FV3Cul2ZuMox4to6gXOryZOrMOvzno8
	BgmE7QTCimjqxsKyYE073HFt8YiqUgF4aoJe2R0eq1QKLsQhJwYomCU6HNatfzJmVyDAy+OL/i4b
	HhvGl8GoxyQKiq6KVfaqw/TSZMjC4jC+y5lSoDLccn4IkZ2OBhfMenRsMUHJhezLp/6oH/PY2Ykp
	p5aJ7TO+w44ve/EMCC6/OAQmpzZfhr/MJqGYgdQm9k1jG7aEeWOGYgLtu2wb/m3m2OxIHNg0wbJR
	4F7hMA+3ru2IhoQWQeAFjaaiFXgPkxgR9pOEuRWRNZ0Aj56VottUS6AIuYv5BNDDNATrsrdKbxmD
	7b3Q4jBdm2mVY3MTyLM9ubXhf5PdowkgaIm6fXExSTQ+K9pDCaLNSSDuHDBlQYOncHhTQW2iMIrd
	ZNTsDsjK6FsVtWs14hMTs1CsI8q5Bl8zmwxaZlrKhJi0CW3hOsJGE8ZuTRg/PauKfYvWM42cZUgp
	QiAEIIeLWVRQhDKmAYQ2+eSWtjzxu7Wda4WBiUdFZSpMG3Svwc89i2Z5UMlyPH/x6ET09SnZOqt4
	3YxTKascq1GwkJxuwudpmphiElg86oJ/nEbzGX0CnW47cqKZ6BISODrwc+RRgbmAaLdbEgDgW4QA
	X248e4mfPoPdcgc6ZAkX5sK7r92b0D9st3zsvfWCOTMtqWXklJmwpl7eYx11OZsL0C2wy+gbOKO9
	Jm00BycF7TIG4F2cTNt27vPjyrVo+10Y1I0gjph5QYf/5ZT+ODjtX4Hgew6rjbb9swhs0zV32XHg
	mGDRPonZvYgcy9yF2MB0wz1YLeeWd9sgA8+9634RM8ubC63GICJg/8xlxhJWcN5uKbB2Cwfvytlr
	fnTfC/iq1xLGWJovbVsONEdtx/UXkZJb7IU5i5Y+NETiMeIMxZh0dWNUzXQ8CT8vTc3lmsnk5lCv
	rZmF9jwrZqHttJ5J8jueTdy0YkZ/0rKUzsNY3MydSE9A/0L29XdwKAvo+uitX5R2C3SfdiLurTU7
	sN2ibQq7Vm73eu29ax+wpY67rUBgqGsyaTW8YKkD7hPPdQXtzZDtUvCL7lEj1msxJkXpDw6E3ip8
	Bx7ciMLw07PzPgNjuE+xeByU/4WdAs4liUb1cmwdk3guvhr/OKffGCmC5oLFg5/bUy+MUJwYgIAh
	5Po3uq5MdIKd8rcACZngsQhEO38Non9Tp9Yg3RlrFHbKNmnWfUvKpZHhB4KbNHn4mSaIQU9FzHNE
	a/LXaHrA7jx2Y1o/U2xSvSzz+cQQwb0IDCtw/ChEcFqeeo3En0KQNHB5wmQ13h2wiwsUbO9DblUw
	E2iAlRAu+aaZB/7FbvD5Deif497xZrNe+w39J3ppPzqZmgF4/E/SDYHIjql5T7UfMIwv5zcTB1XS
	NWHWLmR2QIhyrS3pvhqslJr00wiChKWrUo4KnITJplHk70F25tx3dk6kvu2h8uyAFJT+dXbQ4pHa
	AzFLku8onhB/4i0i2KGNJga9XeXWcLm30D8BYzR8U3pMSg4/LJyZzax4XzDv5n/gG/ZRXIc9yAXr
	ANNSi5syvSrkPMTsdRYQZYspJywgSH2pN4aUhYfbEYThigd2sTR+mSXbs0g96TNo6Xaud3UmmebB
	mQuQAXSyQt8n0O1yrJ7aaKVo6JMuKfUrQx3GOV5aqsPAo/DP808g8VfyoulqfaMfe92BL1zSHWgr
	FaqkoMR6FiI8ynVLLqgmM4aUXpIiyWJ0nAy5102W98zG8FW3O0QPySFPwMAWmOg1PHwU0di8ge3H
	m1vwV69lGIl7FScJK+uInnizcHBLyFWUAWQxdzVUiQJi86XK7J8xev9RWItIkMqWjJx0F+lAY7le
	XJiPI0jcnskJTHLQ+3DSMy4rxat19Rzi2OcJ2Vj4vhdEISmnvQhIzrkBCjDPXkfAvIc8PkBrEJaM
	kAd59gCfHfFQKR3qfAnPcraSbinHCuD5tM0ANBLcBehtSvIlY5QBFulj1wt0fCSiReCGI8rdwGuU
	rEwGxCgrnY1GLxxdb6Hhyg02LFLBrmTMXfa2bK9poESCz992fxfLxPwwVqYCztwMlim4DQwQ+YMt
	cAjIw6ui2YWeKcQ6EGuKR4wY0AFjscaKFhAZxfHRzZJpCw+BuarXYh8C12uuB/7aFQJCG6KZ9Q2f
	aIC+pi8VOOWCTmZeKBqx95KBAlfBNWcSmsKs9+yAxT48FWRZM3CCeQ8u/dy9GbBtOd9D/VPHmHGD
	jnPjhkVShpINOvCMGyLp5+PfaQ8np3e7cGVAU4gs8pEE+HwVNqD3B+bgo/cB87ztq7MeKtzwwY6d
	5DYKX69hqswS9yjWsPQzjrmU7rUh6TOqHG3FGFogVGuH70TtKVHfBhOBuGtQctBpfPvvw+ufmocc
	uCyZSSCiJtCvHgAAvr271kPEfPU+5LnSq4JIvQ9VPNk3aY7YKp4qqVewBMLPY8W1zg51VzG1gCw0
	zdWmTKXJVzAFqpDHimuuHequYsp/eBlTafJZphRjsabLCFArqrI6ikomBNR5X5z2ZdUEVT4rEGAt
	ywyVvIvJHw4el4T/mIEp+M0IKN6KjYJuyeLzERUY8RCtcACQRYhHSzPdzC6oGp4lfyBoMsgkBMha
	sYIhi993AnNZG+wy1Rrw3M0DVqU6EebWNmFN5pAtmHciFpASKFOmQy8my4PjBFnzNwVTpMavXPRJ
	WNnrhzDJmRNOU1UQbJdHKziD/dhOQPbIYBp0WkA5b36DHKoRSQNZVhjkQXi7PxoNRkZXfnbbvb5x
	Mjobjs8Gl12imGUVeACfkwZqtxRmS1HizZQ0qs3wkzwrzW+OJEXSGySgeCfWGuWVQVt4e9w3xgzk
	FS3CDuoOMIFNwPhBrKIFv3pYHFT51iTBKt8WmJJlmEh0HFHUniFaZQpK4Ap+hX+K+3Jb8q3sfaqw
	KqmULvaBj/PZgCoNqGJcej95LBBrMGhaNIkk4qbbLJaRpJXe6pkR26O+cXU+Nvrjbvv0rH/eM6jI
	oXVD5YnMDPC8+xbMr2vJKIpOUSmEMqypmJtYaIqxgDs8EqcS4o1goS8s59YBRHEvsFLoLe6wHCiW
	RBiCLhbKbEnYeR7xUFNy1m3jAWZ3fPzhvD85OR4fnw8+tlvU1m5JCH5I42OVB/lmb+u1xq8i8PZQ
	VnZzQ9rGyaf+xXE5aUW4Xnu3ITH8upLUeyXtPKmWWo72aPBFLgqpHarBibdwE/VITjbVWuv1Q7PT
	2HY6bw8hcGRtlkLGlp9+ymp7bnwYttv+fHx+1W/lPjUzORTJDY1Bhk3zAzrqNA/LB2lJgu0Wjsbj
	3VMuEBIEfMQay9MxhbJBCdZh6QZUaW3KtRfUT1Eq2xu5VaniqThsOu39s8fOF3vi3Gq1FaKDeoYN
	0pd86LMEVcKg98gZK3W8Tx9xaMPPXHlmTs0HTHbL2uXWZhSyThA24Jkt3Aisijzd7HznvF7b30+c
	vuth7VaFB/w7L/rNHCh450wrRQ2bO9MfFvf/tsXN0Hq/ltbJ4Pzq4rKc2FrkHshqMv46fAHqmTG5
	vDo/x5k8H1kxbZz9Vxnyhm5G69R4iqdDYmaHTFol0KbbwJuz2ByAKh2wUwTZpcO5XXa5mM122d/F
	EvKPnrg1yfz3H6PAJKoPUzwMbOAzKvmnd4LAXCYeg049JseGMThpvtBLtZLJ4GwM4ZsBHnjhIauc
	Bx7h7rNTyjGYEx5QVwNb5ZC0nWXG2dh/0/z+vSE/mlgwgCl84zhpfq2yTYWkGAVXTWc9mUwTm5G+
	bn6vm5/kh86Kyqgk4+VJcZ5Qied7sQQJshDTJhcWRacu/Gvf4GhUOSdT8gDGQMDCQhfAMn454ErQ
	iBUPjOsaD0xWTnZTVqjZURhII5Z8fr1UAIFZCxEm7eHXaH11MMAP16KSUPTf81CJyZehkrhLUPPR
	C/xb8oxPLjj7Y6Kbisp3/PVSFgKkA5E/IAtT3iMTEvwpwUn6PMg0IEkUc3DqwKA688mke1gDmMzN
	O8eCEMGLRDi58y1w0WlPmxABRcSDaT+cmeEUoi6W7muytGzLop/qyCYhUxnegEgTKBXlUGlDqMqG
	dtP02IQAtxTgqTz7z4tzJkseuB9husx3rJ9hdy58DADwCB/MQ59I+HhijTUS1vui6MvyCAD2Rpfs
	3d77/9h7+35/RYRVNpNsmFUWZbF/Y4z1z0dY2+TRigmUdHTpXVqWQCXIZQkUPXuQdWuEkKMq54DA
	eY9R5tn5YXmvfFgI1gO6wDYhub0utlXAf+dsbj5OIDe7i6aEF2Ml7dW4lNYVhsPGahywHxM0txIt
	xtLNKxAXcxE4Vh5PtlajLdzQuYMoJYenm6sRMWC9dQqM6uZqRF+eZE1+FsusSFMdK9YDdMLxZ6KI
	nu5ZNV8HdnIRO2mvxFXxYmY19TFRaZ5eFokqX/f0rAJGSegnH9xeUbxAnNev8SduQu0bNqxhJLEI
	kBSmNVXxpxmybRAR63TZNj1e12StN+xhSrEgdR3BH3vTWr1Js9FDrhsP/igVM2f0iFFDjVQp5iw1
	WRIuBUxFHBvJNLVO/7bYJPusQlWgcfSHRhpDcHsYDaWDDTxbHNCRZRI+/blxUPF5gUzEtikz46vR
	pRGPpKvuVLYmFrL9pZyUPLWSK/LztnE1HA5GY2M4Gpz0e1ejfn6kAkDpUIWqf2GgbMln01CkPBb5
	14Ui5dqdfZiorLCGpEsUJp2/l1QbSs3otn2D42RPCOybsLHiNKA695bPKTYU0WZ5XJXLtuMUbq+r
	Z16VEhWj7BVG5Vn2pPgYyY/S5o/S5o/S5o/S5v/D0qZ81COMgsgD9RVBQxbIYEB+3aRK23B0xpv0
	wMTLKqES7wW1UIn47GqoRIsZLqmI6o5CTVR2POkvsi5aTS9TG80RVXcXk3haS+GfqZCqJSivkSbi
	ylZJNWP5Omn5em5YKV2LvKpWuhZ5VbV0LfL6eimRiLPIf3VusiqSeCKbWf60pbx08zd8WQDdthGu
	Tc+UJbeiPH+p7wjr1xLQ3X/B4svlDPYRvogg8x4CE29N7gMQBMygcRTJHBRfRwB5QBQ4VsSO5dXX
	sceG5h0YpI+B6UYUNwgXOJC9+q0DPoDIm92muoUr6N5v2OHsHV1UUl3y2ufV6Dx3xx3773AEOWwH
	n2Ypvgah+I4Cw4DgQT63m7nVHL8UAFHoubHff2ev1iNnLxEjld9/T151sB6h04HUAFFAir4nb3zn
	REJl72dwQI/g6uvJKRnBNn6nb/Y+Sdm8yoGkXozwS4j3mHDrHyUvCMgxGS/OLkI1mznE1+mXFkAI
	FdDlqnXvlchcwd7szRLA1ky4m0DTJfoMQ/s0Q3oYboMXTMjZZOaOUyq07adFAeYkfRscVBxC5Hpt
	gUzjG0IaaYaaqRvR+QvRmTFKr0L/L1BLAQIUABQAAAAIAFi7hi7WI95uFBEAAIpEAAAJAAAAAAAA
	AAEAIAAAAAAAAABwYXRjaC50eHRQSwUGAAAAAAEAAQA3AAAAOxEAAAAA
	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH