############################################### osCommerce multiple Scripts 'page' param XSS Vendor url: http://www.oscommerce.com Vendor Bugtracker:http://www.oscommerce.com/community/bugs,4303 Advisore: http://lostmon.blogspot.com/2006/10/ oscommerce-multiple-scripts-page-param.html Vendor notify:yes ############################################### osCommerce contains a flaw that allows a remote cross site scripting attack.This flaw exists because the application does not validate 'page' param upon submission to multiple scripts in /admin folder.This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity. The same situation is done in 'admin/geo_zones.php' but with param 'zpage'. #################### vERSIONS #################### osCommerce 2.2 Milestone 2 Update 060817 #################### SOLUTION #################### no solution was available at this time. ####################### VULNERABLE CODE ####################### Arround the line 30 in banner_manager.php we tep_redirect(tep_href_link(FILENAME_BANNER_MANAGER, 'page=' . $HTTP_GET_VARS['page'] . '&bID=' . $HTTP_GET_VARS['bID'])); the page param is called directly , not sanitize. arround line 115 we have a similar situation , we GET page param without sanitice in any GET request. In all of scripts vulnerables, we have the same situation, but with diferent code #################### scripts vulnerables #################### admin/banner_manager.php admin/banner_statistics.php admin/countries.php admin/currencies.php admin/languages.php admin/manufacturers.php admin/newsletters.php admin/orders_status.php admin/products_attributes.php admin/products_expected.php admin/reviews.php admin/specials.php admin/stats_products_purchased.php admin/stats_products_viewed.php admin/tax_classes.php admin/tax_rates.php admin/zones.php #################### Timeline #################### Discovered: 27-09-2006 Vendor notify:03-10-2006 Vendor response:------ Vendor fix:-------- Disclosure: 03-10-2006 (vendor Bugtracker) Public disclosure:04-10-2006 #################### EXAMPLES #################### http://localhost/catalog/admin/banner_manager.php?page=1[XSS-code] http://localhost/catalog/admin/banner_statistics.php?page=1[XSS-code] http://localhost/catalog/admin/countries.php?page=1[XSS-code] http://localhost/catalog/admin/currencies.php?page=1[XSS-code] http://localhost/catalog/admin/languages.php?page=1[XSS-code] http://localhost/catalog/admin/manufacturers.php?page=1[XSS-code] http://localhost/catalog/admin/newsletters.php?page=1[XSS-code] http://localhost/catalog/admin/orders_status.php?page=1[XSS-code] http://localhost/catalog/admin/products_attributes.php?page=1[XSS-code] http://localhost/catalog/admin/products_expected.php?page=1[XSS-code] http://localhost/catalog/admin/reviews.php?page=1[XSS-code] http://localhost/catalog/admin/specials.php?page=1[XSS-code] http://localhost/catalog/admin/stats_products_purchased.php?page=1[XSS-code] http://localhost/catalog/admin/stats_products_viewed.php?page=1[XSS-code] http://localhost/catalog/admin/tax_classes.php?page=1[XSS-code] http://localhost/catalog/admin/tax_rates.php?page=1[XSS-code] http://localhost/catalog/admin/zones.php?page=1[XSS-code] this is a simple evil url but we can do some moore elaborate url in conjuncion with other archives not vulnerables... like this: http://localhost/catalog/admin/categories.php?action=new_product_preview &read=only&pID=12&origin=stats_products_viewed.php?page=2[XSS-code] ######################## €nd ##################### Thnx to Estrella to be my ligth. -- atentamente: Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ -- La curiosidad es lo que hace mover la mente....