|
osCommerce Malformed Session ID XSS Vulnerability
|
December 17, 2021
|
|
|
Description:
osCommerce is an online shop e-commerce solution under on going development by the open
source community. Its feature packed out-of-the-box installation allows store owners to
setup, run, and maintain their online stores with minimum effort and with absolutely no
costs or license fees involved.
Problem:
osCommerce is vulnerable to a XSS flaw. The flaw can be exploited when a malicious user
passes a malformed session ID to URI. Below is an example of the flaw.
https://path/?osCsid="><iframe src=http://www.gulftech.org></iframe>
This condition seems to affect only secure https connections, but was confirmed by the
developers to affect regular http connections in the current CVS version of osCommerce.
Solution:
This is the response from the developer.
To fix the issue, the $_sid parameter needs to be wrapped around tep_output_string() in
the tep_href_link() function defined in includes/functions/html_output.php.
Before:
if (isset($_sid)) { $link .= $separator . $_sid; }
After:
if (isset($_sid)) { $link .= $separator . tep_output_string($_sid); }
osCommerce 2.2 Milestone 3 will redirect the user to the index page when a malformed
session ID is used, so that a new session ID can be generated.
Credits:
James Bercegay of the GulfTech Security Research Team.
|
|
|
