lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <42A9CC56.8020700@gulftech.org>
Date: Fri, 10 Jun 2005 12:22:30 -0500
From: GulfTech Security Research <security@...ftech.org>
To: BugTraq <bugtraq@...urityfocus.com>,
	OSVDB <moderators@...db.org>, Secunia Research <vuln@...unia.com>
Subject: osCommere HTTP Response Splitting


##########################################################
# GulfTech Security Research           June 10th, 2005
##########################################################
# Vendor  : osCommerce
# URL     : http://www.oscommerce.com/
# Version : osCommerce 2.2 Milestone 2 && Earlier
# Risk    : HTTP Response Splitting
##########################################################



Description:
osCommerce is a very popular eCommerce application that allows for
individuals to host their own online shop. All current versions of
osCommerce are vulnerable to HTTP Response Splitting. These HTTP
Response Splitting vulnerabilities may allow for an attacker to
steal sensitive user information, or cause temporary web site
defacement. The suggested fix for this issue is to make sure that
CRLF sequences are not passed to the application.



HTTP Response Splitting:
osCommerce is vulnerable to HTTP Response Splitting. The problem lies
in includes/application_top.php Here is some of the vulnerable code.

// performed by the 'buy now' button in product listings and review page
case 'buy_now' :       
if (isset($HTTP_GET_VARS['products_id'])) {
  if (tep_has_product_attributes($HTTP_GET_VARS['products_id'])) {
    tep_redirect(tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . 
$HTTP_GET_VARS['products_id']));
  } else {
    $cart->add_cart($HTTP_GET_VARS['products_id'], 
$cart->get_quantity($HTTP_GET_VARS['products_id'])+1);
  }
}
tep_redirect(tep_href_link($goto, tep_get_all_get_params($parameters)));
break;

In the tep_has_product_attributes() function the products_id variable is
typecast to an integer, and used in a query, so any malicious input
must be appended to a valid product id. Also, the product must have
attributes (product id 22 in the default install does).

/index.php?action=buy_now&products_id=22%0d%0atest:%20poison%20headers!

As we can see from the above example, the returned headers include out
"test" parameter. The same logic behind this vulnerability also applies
to the "cust_order" parameter.

/index.php?action=cust_order&pid=2%0d%0atest:%20poison%20headers!

The only difference here is that the user must be logged in for this
particular example will work. Also vulnerable is the banner.php script.
When calling the script with the action parameter set to "url" an
attacker may include malicious data in the "goto" parameter.




Solution:
This was submitted to the osCommerce bugtracker several weeks ago. No
fix has been released as of today. Users may edit the source code to
prevent CRLF sequences from being passed to the application.



Related Info:
The original advisory can be found at the following location
http://www.gulftech.org/?node=research&article_id=00080-06102005



Credits:
James Bercegay of the GulfTech Security Research Team


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ