[<prev] [next>] [day] [month] [year] [list]
Message-ID: <009e01c2eef9$069683b0$0900a8c0@compcaw8>
Date: Thu, 20 Mar 2003 15:54:43 -0000
From: Daniel Alcántara de la Hoz <seguridad@...oyectos.com>
To: <bugtraq@...urityfocus.com>
Subject: [IPS] osCommerce multiple XSS vulnerabilities
iProyectos Security Advisory:
XSS Bugs in osCommerce
1. Problem description.
2. Risk
3. Solution
4. Manual fix
5. About iProyectos
------------------------------------
1. Problem description:
osCommerce is a widely installed open source shopping e-commerce solution.
Some XSS (cross-site scripting) problems exists in versions of osCommerce
prior to 3/14/2003 that allow an attacker to inject arbitrary HTML code
into a web page.
An attacker could guide the victim to a specially crafted url that, when
followed, would send the cookie to the attacker.
With the cookie of an user, an attacker would be able to hijack his
account.
iProyectos wont provide direct exploit this time due to the simplicity of
the bug (exploitation is straightforward with XSS bugs). Here is a proof
of concept on one of the four existent bugs.
(implode the next three lines to form the url)
http://vulnerable.host/default.php?error_message=%3Cscr
ipt%20language=javascript%3Ewindow.alert%28document.coo
kie%29;%3C/script%3E
The full list of vulnerabilities is available in our website
http://www.iproyectos.com/english.php that explains the four bugs.
We contacted the vendor on 3/13/2003. They fixed 4 XSS bugs in 24 hours
and committed the patches to CVS.
We found this bugs in last milestone version and they probably have a long
history. The online demonstration in the osCommerce website which is said
to be 2.2ms1 version was modified, so be aware of trusting the milestone
because of this. At 3/18/2003, the last milestone available (2.2ms1) is
still vulnerable.
Contrary to what can be understood by reading the vendor report, this is
not a cvs version bug. Furthermore, we conducted a little survey and found
this bug in 27 out of 30 osCommerce shops.
2. Risk
iProyectos has given this vulnerability medium risk, as long as some degree
of social enginering is required.
3. Solution
To patch, update by CVS. Downloading the last milestone WON'T fix this.
4. Manual Fix
Many installations of osCommerce are severely modified to suit the needs
of each shop, using just the core osCommerce engine. For these, direct
patching won't be possible. If you are interested in a guide to fixing
customized osCommerce installations please contact us at
seguridad@...oyectos.com . We will publish a checklist guide to fix
osCommerce if demand is high enough.
5. About iProyectos
iProyectos is a new IT company established in Spain which stress security
research. We provide quality security auditing at reasonable prices.
-
Daniel Alcántara de la Hoz
Director de Proyectos
daniel.alcantara@...oyectos.com
iProyectos Desarrollos Tecnológicos
http://www.iproyectos.com/english.php
Powered by blists - more mailing lists