Description:
osCommerce is one of the most popular open source ecommerce web applications
ever written. osCommerce allows webmasters to open a fully functioning online
marketplace with little effort. Unfortunately there have been several new
vulnerabilities discovered in the latest versions of osCommerce. These issues
may allow for an attacker to gather arbitrary information from the database
such as credit card information, user login information, or personal information.
There are also issues with some of osCommerce's file handling functionality
that may allow an attacker to gain access to sensitive data. The osCommerce
team have released updates to address these vulnerabilities and all users are
encouraged to upgrade their osCommerce installations as soon as possible.
SQL injection:
All versions of osCommerce suffer from a high risk SQL Injection vulnerability
that allows for an attacker to select any data that they wish from the database
such as credit card numbers, personal information, or password hashes. The sql
injection itself takes place in shopping_cart.php at lines 80 - 98
while (list($option, $value) = each($products[$i]['attributes'])) {
echo tep_draw_hidden_field('id[' . $products[$i]['id'] . '][' . $option . ']', $value);
$attributes = tep_db_query("select popt.products_options_name, poval.products_options_values_name,
pa.options_values_price, pa.price_prefix
from " . TABLE_PRODUCTS_OPTIONS . " popt, " . TABLE_PRODUCTS_OPTIONS_VALUES
. " poval, " . TABLE_PRODUCTS_ATTRIBUTES . " pa
where pa.products_id = '" . $products[$i]['id'] . "'
and pa.options_id = '" . $option . "'
and pa.options_id = popt.products_options_id
and pa.options_values_id = '" . $value . "'
and pa.options_values_id = poval.products_options_values_id
and popt.language_id = '" . $languages_id . "'
and poval.language_id = '" . $languages_id . "'");
$attributes_values = tep_db_fetch_array($attributes);
$products[$i][$option]['products_options_name'] = $attributes_values['products_options_name'];
$products[$i][$option]['options_values_id'] = $value;
$products[$i][$option]['products_options_values_name'] = $attributes_values['products_options_values_name'];
$products[$i][$option]['options_values_price'] = $attributes_values['options_values_price'];
$products[$i][$option]['price_prefix'] = $attributes_values['price_prefix'];
}
The variables $option and $value are taken from $this->contents in the shopping
cart class via the $cart->get_products() function call at line 76 of the script
shopping_cart.php. Unfortunately these shppoing cart values are taken from
session data that is not properly escaped and can be controlled by an attacker
via the id[] array when adding a product to the cart. The reason the values are
not properly escaped is due to osCommerce's magic quotes gpc emulation being
flawed in regards to sanitizing multi dimensional arrays.
-99' UNION SELECT null,CONCAT(customers_password,'::',customers_email_address),
null,null FROM customers/*
The id[] array is used to specify extra product attributes that a shop owner may add.
Shown above is an example value that could be sent via the id[] array, and when the
shopping cart is viewed you will see a customers password hash and login. Even though
the sql is injected when adding a product the vulnerability can not actually be
exploited until the shopping cart is viewed. No special access is needed to exploit
this issue other than a normal customer account.
Arbitrary File Access:
One weak point of osCommerce is the lack of traversal checks when dealing with
certain filesystem functions. For example lets have a look at the following code
from cache.php, specifically the tep_cache_also_purchased() function:
if (($refresh == true) || !read_cache($cache_output, 'also_purchased-' . $language . '.cache' .
$HTTP_GET_VARS['products_id'], $auto_expire)) {
ob_start();
include(DIR_WS_MODULES . FILENAME_ALSO_PURCHASED_PRODUCTS);
$cache_output = ob_get_contents();
ob_end_clean();
write_cache($cache_output, 'also_purchased-' . $language . '.cache' . $HTTP_GET_VARS['products_id']);
}
The tep_cache_also_purchased() function is not the only place where the read and
write cache functions are called with gpc parameters. For example the functions
tep_cache_manufacturers_box and tep_cache_categories_box are vulnerable too. Now
let's have a look at some of the code from the cache functions that read and write
osCommerce cache files.
////
//! Write out serialized data.
// write_cache uses serialize() to store $var in $filename.
// $var - The variable to be written out.
// $filename - The name of the file to write to.
function write_cache(&$var, $filename) {
$filename = DIR_FS_CACHE . $filename;
$success = false;
// try to open the file
if ($fp = @fopen($filename, 'w')) {
// obtain a file lock to stop corruptions occuring
flock($fp, 2); // LOCK_EX
// write serialized data
fputs($fp, serialize($var));
// release the file lock
flock($fp, 3); // LOCK_UN
fclose($fp);
$success = true;
}
return $success;
}
It seems that this vulnerability is only useful for enumerating the existance of
files on the system, but it also discloses the full path to a writeable directory
which could come in handy to an attacker.
Solution:
Harald ponce De Leon was very prompt and professional in addressing these issues in a timely manner.
http://forums.oscommerce.com/index.php?showtopic=223556&pid;=918371
The above link contains all relative upgrade information for osCommerce users. users are strongly advised
to upgrade their installations as soon as possible.
Credits:
James Bercegay of the GulfTech Security Research Team
|
