[#OSC-763] Script injection due to outputting unescaped PHP_SELF

Issue Details (XML | Word)

Key:	OSC-763
Type:	Bug
Status:	Closed
Resolution:	Fixed
Priority:	Major
Assignee:	Harald Ponce de Leon
Reporter:	WR
Votes:	0
Watchers:	0

Operations

If you were logged in you would be able to see more operations.

osCommerce Core

Script injection due to outputting unescaped PHP_SELF

Created: 12/Dec/08 12:14 PM Updated: 12/Dec/08 12:16 PM

Component/s:

Core Framework

Affects Version/s:

2.2 RC 2a

Fix Version/s:

2.2

Description

« Hide

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Script injection due to outputting unescaped PHP_SELF

Application: osCommerce Online Merchant 2.2 RC2a
CVE: ?
Severity: Low
Released: ?
Last modified: 10 XII 2008

Overview

osCommerce Online Merchant is one of the most popular e-commerce solutions; it
is a quick and simple way to setup a virtual shop.

osCommerce uses PHP_SELF variable to construct links with hardly any validation
(just adding slashes through magic_quotes). This allows an attacker to insert
javascript into shops' pages by adding it after a / after a filename in a link.

The system outputs: "tep_href_link(basename($PHP_SELF), ..." in some places,
tep_href_link does not escape its first parameter. You would most probably want
to add /"> to the URL, to close the <a> tag, then insert your payload (iframe,
faked login form, arbitrary tag with some javascript in an event handler etc.)
and then open another <a> tag to make the page look normally. Slash has to be
avoided due to the basename call.

There are multiple ways of exploiting such problems, Security Pro extension or
NoScript (a Firefox add-on) would probably stop most of them, but new
possibilities appear often.

Proof of concept

1. Install a fresh copy of osCommerce 2.2 RC2a.
2a. Browse to:

http://www.example.com/catalog/product_reviews_info.php/%22%3E%3Cbody%20onload=%22alert(%27XSS%27);%22%3E%3Ca%20href=%22index.php?products_id=19&reviews_id=1

3a. An 'XSS' alert should pop up.

2b. Browse to:

http://www.example.com/catalog/index.php/a%22%3E%3Cimg%20src=%22a%22%20width=%221%22%20%20onerror=%22javascript:alert(document.cookie)%22%20style=%22visibility:%20hidden;%22%3E%3Ca%20href=%22index.php%22

3b. You should see a javascript alert with shop's cookie (if cookies are
enabled). This cookie contains your session identifier, so it could be used for
session hijacking.

Recommendation

Escape the 'page' (first) parameter to the tep_output_href function. Mark
cookies as HTTPOnly. Check other usage of PHP_SELF (downloads.php, payment.php,
shipping.php, navigation_history.php -- all seem ok; session.php, something
with PHP3 maybe?).

PGP-Key

http://www.wrwrwr.org/public-pgp-key

pub 1024D/D33EE52B 2007-09-17
fingerprint 5FEA 4CB2 0866 698A 187D F2AA 7CE9 A5A6 D33E E52B

Copyright 2008 Wojtek Ruszczewski <security@wrwrwr.org>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFJQCSZfOmlptM+5SsRAt1MAJ9gTPxeD0Ng9BVTRL2zCrW2iq+rYwCgkGS8
odqYxMgXuR2oDc0EkTF2GWs=
=xigl
-----END PGP SIGNATURE-----

Description

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Script injection due to outputting unescaped PHP_SELF Application: osCommerce Online Merchant 2.2 RC2a CVE: ? Severity: Low Released: ? Last modified: 10 XII 2008 Overview osCommerce Online Merchant is one of the most popular e-commerce solutions; it is a quick and simple way to setup a virtual shop. osCommerce uses PHP_SELF variable to construct links with hardly any validation (just adding slashes through magic_quotes). This allows an attacker to insert javascript into shops' pages by adding it after a / after a filename in a link. The system outputs: "tep_href_link(basename($PHP_SELF), ..." in some places, tep_href_link does not escape its first parameter. You would most probably want to add /"> to the URL, to close the <a> tag, then insert your payload (iframe, faked login form, arbitrary tag with some javascript in an event handler etc.) and then open another <a> tag to make the page look normally. Slash has to be avoided due to the basename call. There are multiple ways of exploiting such problems, Security Pro extension or NoScript (a Firefox add-on) would probably stop most of them, but new possibilities appear often. Proof of concept 1. Install a fresh copy of osCommerce 2.2 RC2a. 2a. Browse to: http://www.example.com/catalog/product_reviews_info.php/%22%3E%3Cbody%20onload=%22alert(%27XSS%27);%22%3E%3Ca%20href=%22index.php?products_id=19&reviews_id=1 3a. An 'XSS' alert should pop up. 2b. Browse to: http://www.example.com/catalog/index.php/a%22%3E%3Cimg%20src=%22a%22%20width=%221%22%20%20onerror=%22javascript:alert(document.cookie)%22%20style=%22visibility:%20hidden;%22%3E%3Ca%20href=%22index.php%22 3b. You should see a javascript alert with shop's cookie (if cookies are enabled). This cookie contains your session identifier, so it could be used for session hijacking. Recommendation Escape the 'page' (first) parameter to the tep_output_href function. Mark cookies as HTTPOnly. Check other usage of PHP_SELF (downloads.php, payment.php, shipping.php, navigation_history.php -- all seem ok; session.php, something with PHP3 maybe?). PGP-Key http://www.wrwrwr.org/public-pgp-key pub 1024D/D33EE52B 2007-09-17 fingerprint 5FEA 4CB2 0866 698A 187D F2AA 7CE9 A5A6 D33E E52B Copyright 2008 Wojtek Ruszczewski <security@wrwrwr.org> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFJQCSZfOmlptM+5SsRAt1MAJ9gTPxeD0Ng9BVTRL2zCrW2iq+rYwCgkGS8 odqYxMgXuR2oDc0EkTF2GWs= =xigl -----END PGP SIGNATURE-----

Show »

All

Comments

Change History

Sort Order:

[ Permlink | « Hide ]

Harald Ponce de Leon [12/Dec/08 12:16 PM]

Fixed in r1839. Thanks for the report!