Search | Research | Contact Us Wednesday April 26, 2022
Languages
Most Viewed Items
  1 PHPXMLRPC Library Remote Code Execution
  2 Multiple Invision Power Board Vulnerabilities
  3 XOOPS 2.0.11 && Earlier Multiple Vulnerabilities
  4 eBay And Amazon Still Vulnerable
  5 When Small Mistakes Can Cause Big Problems
  6 Woltlab Burning Board SQL Injection Vulnerability
  7 WordPress 1.5.1.2 And Earlier Multiple Vulnerabilities
  8 Multiple Vulnerabilities In phpWebsite
  9 Document Object Model Hijacking Explained
10 Critical Vulnerability In Help Center Live
Need Secure Code?
Quick Search
You can use the form below to search our site. Just enter the keywords to search.
Home Services Archives Research Downloads Contact
osCommerce HTTP Response Splitting
June 10, 2022
Vendor : osCommerce
URL : http://www.oscommerce.com
Version : osCommerce 2.2 Milestone 2 && Earlier
Risk : HTTP Response Splitting


Description:
osCommerce is a very popular eCommerce application that allows for individuals to host their own online shop. All current versions of osCommerce are vulnerable to HTTP Response Splitting. These HTTP Response Splitting vulnerabilities may allow for an attacker to steal sensitive user information, or cause temporary web site defacement. The suggested fix for this issue is to make sure that CRLF sequences are not passed to the application.


HTTP Response Splitting:
osCommerce is vulnerable to HTTP Response Splitting. The problem lies in includes/application_top.php Here is some of the vulnerable code.
// performed by the 'buy now' button in product listings and review page
case 'buy_now' :        
if (isset($HTTP_GET_VARS['products_id'])) {
  if (tep_has_product_attributes($HTTP_GET_VARS['products_id'])) {
    tep_redirect(tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . $HTTP_GET_VARS['products_id']));
  } else {
    $cart->add_cart($HTTP_GET_VARS['products_id'], $cart->get_quantity($HTTP_GET_VARS['products_id'])+1);
  }
}
tep_redirect(tep_href_link($goto, tep_get_all_get_params($parameters)));
break;
In the tep_has_product_attributes() function the products_id variable is typecast to an integer, and used in a query, so any malicious input must be appended to a valid product id. Also, the product must have attributes (product id 22 in the default install does).

/index.php?action=buy_now&products;_id=22%0d%0atest:%20poison%20headers!

As we can see from the above example, the returned headers include out "test" parameter. The same logic behind this vulnerability also applies to the "cust_order" parameter.

/index.php?action=cust_order&pid;=2%0d%0atest:%20poison%20headers!

The only difference here is that the user must be logged in for this particular example will work. Also vulnerable is the banner.php script. When calling the script with the action parameter set to "url" an attacker may include malicious data in the "goto" parameter.


Solution:
This was submitted to the osCommerce bugtracker several weeks ago. No fix has been released as of today. Users may edit the source code to prevent CRLF sequences from being passed to the application.


Credits:
James Bercegay of the GulfTech Security Research Team