lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20050616193510.11610.qmail@mail.securityfocus.com>
Date: Thu, 16 Jun 2005 20:34:42 +0100
From: "Harry Metcalfe" <harry@...ptop.com>
To: "'BugTraq'" <bugtraq@...urityfocus.com>
Subject: RE: osCommere HTTP Response Splitting (Solution)


After searching in vain, I couldn't find a solution to this at
oscommerce.com or through google, so I fixed it myself. Make the following
fix to tep_redirect() in /catalog/includes/functions/general.php:

function tep_redirect($url) {
 if ( (ENABLE_SSL == true) && (getenv('HTTPS') == 'on') ) { 
  if (substr($url, 0, strlen(HTTP_SERVER)) == HTTP_SERVER) { 
    $url = HTTPS_SERVER . substr($url, strlen(HTTP_SERVER)); 
  }
 }

 // FIX for HTTP splitting vuln 
 // See http://www.gulftech.org/?node=research&article_id=00080-06102005
 
 $url = eregi_replace("[\r\n]+(.*)$", "", $url);
 
 // END fix
 
 header('Location: ' . $url);
 
 tep_exit();
}

More info here:
http://musingsofharry.blogspot.com/2005/06/oscommerce-http-splitting.html.
I've tested this against the p-o-c and it seems to work fine. Feedback
welcome.

Harry



-----Original Message-----
From: Amit Klein (AKsecurity) [mailto:aksecurity@...pop.com] 
Sent: 10 June 2005 21:02
To: BugTraq; OSVDB; Secunia Research; GulfTech Security Research
Subject: Re: osCommere HTTP Response Splitting

Just verifying: this is a different instance of HTTP Response Splitting than
the one 
reported (in the osCommerce CVS) by weirdan on November 20th, 2004 ??

http://www.oscommerce.com/community/bugs,2235

-Amit


On 10 Jun 2005 at 12:22, GulfTech Security Research wrote:

> ##########################################################
> # GulfTech Security Research           June 10th, 2005
> ##########################################################
> # Vendor  : osCommerce
> # URL     : http://www.oscommerce.com/
> # Version : osCommerce 2.2 Milestone 2 && Earlier
> # Risk    : HTTP Response Splitting
> ##########################################################
> 
> 
> 
> Description:
> osCommerce is a very popular eCommerce application that allows for
> individuals to host their own online shop. All current versions of
> osCommerce are vulnerable to HTTP Response Splitting. These HTTP
> Response Splitting vulnerabilities may allow for an attacker to
> steal sensitive user information, or cause temporary web site
> defacement. The suggested fix for this issue is to make sure that
> CRLF sequences are not passed to the application.
> 
> 
> 
> HTTP Response Splitting:
> osCommerce is vulnerable to HTTP Response Splitting. The problem lies
> in includes/application_top.php Here is some of the vulnerable code.
> 
> // performed by the 'buy now' button in product listings and review page
> case 'buy_now' :       
> if (isset($HTTP_GET_VARS['products_id'])) {
>   if (tep_has_product_attributes($HTTP_GET_VARS['products_id'])) {
>     tep_redirect(tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . 
> $HTTP_GET_VARS['products_id']));
>   } else {
>     $cart->add_cart($HTTP_GET_VARS['products_id'], 
> $cart->get_quantity($HTTP_GET_VARS['products_id'])+1);
>   }
> }
> tep_redirect(tep_href_link($goto, tep_get_all_get_params($parameters)));
> break;
> 
> In the tep_has_product_attributes() function the products_id variable is
> typecast to an integer, and used in a query, so any malicious input
> must be appended to a valid product id. Also, the product must have
> attributes (product id 22 in the default install does).
> 
> /index.php?action=buy_now&products_id=22%0d%0atest:%20poison%20headers!
> 
> As we can see from the above example, the returned headers include out
> "test" parameter. The same logic behind this vulnerability also applies
> to the "cust_order" parameter.
> 
> /index.php?action=cust_order&pid=2%0d%0atest:%20poison%20headers!
> 
> The only difference here is that the user must be logged in for this
> particular example will work. Also vulnerable is the banner.php script.
> When calling the script with the action parameter set to "url" an
> attacker may include malicious data in the "goto" parameter.
> 
> 
> 
> 
> Solution:
> This was submitted to the osCommerce bugtracker several weeks ago. No
> fix has been released as of today. Users may edit the source code to
> prevent CRLF sequences from being passed to the application.
> 
> 
> 
> Related Info:
> The original advisory can be found at the following location
> http://www.gulftech.org/?node=research&article_id=00080-06102005
> 
> 
> 
> Credits:
> James Bercegay of the GulfTech Security Research Team





Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ