oscommerce-page-txt

`###############################################  
osCommerce multiple Scripts 'page' param XSS  
Vendor url: http://www.oscommerce.com  
Vendor Bugtracker:http://www.oscommerce.com/community/bugs,4303  
Advisore: http://lostmon.blogspot.com/2006/10/  
oscommerce-multiple-scripts-page-param.html  
Vendor notify:yes  
###############################################  
  
  
osCommerce contains a flaw that allows a remote cross site  
scripting attack.This flaw exists because the application does  
not validate 'page' param upon submission to multiple scripts  
in /admin folder.This could allow a user to create a specially  
crafted URL that would execute arbitrary code in a user's browser  
within the trust relationship between the browser and the server,  
leading to a loss of integrity.  
  
The same situation is done in 'admin/geo_zones.php' but with  
param 'zpage'.  
  
  
  
####################  
vERSIONS  
####################  
  
osCommerce 2.2 Milestone 2 Update 060817  
  
####################  
SOLUTION  
####################  
  
no solution was available at this time.  
  
  
#######################  
VULNERABLE CODE  
#######################  
  
Arround the line 30 in banner_manager.php we  
  
  
tep_redirect(tep_href_link(FILENAME_BANNER_MANAGER,  
'page=' . $HTTP_GET_VARS['page'] . '&bID=' .  
$HTTP_GET_VARS['bID']));  
  
  
  
the page param is called directly , not sanitize.  
arround line 115 we have a similar situation ,  
we GET page param without sanitice in any GET request.  
  
In all of scripts vulnerables, we have the same situation,  
but with diferent code  
  
####################  
scripts vulnerables  
####################  
  
admin/banner_manager.php  
admin/banner_statistics.php  
admin/countries.php  
admin/currencies.php  
admin/languages.php  
admin/manufacturers.php  
admin/newsletters.php  
admin/orders_status.php  
admin/products_attributes.php  
admin/products_expected.php  
admin/reviews.php  
admin/specials.php  
admin/stats_products_purchased.php  
admin/stats_products_viewed.php  
admin/tax_classes.php  
admin/tax_rates.php  
admin/zones.php  
  
####################  
Timeline  
####################  
  
Discovered: 27-09-2006  
Vendor notify:03-10-2006  
Vendor response:------  
Vendor fix:--------  
Disclosure: 03-10-2006 (vendor Bugtracker)  
Public disclosure:04-10-2006  
  
####################  
EXAMPLES  
####################  
  
http://localhost/catalog/admin/banner_manager.php?page=1[XSS-code]  
http://localhost/catalog/admin/banner_statistics.php?page=1[XSS-code]  
http://localhost/catalog/admin/countries.php?page=1[XSS-code]  
http://localhost/catalog/admin/currencies.php?page=1[XSS-code]  
http://localhost/catalog/admin/languages.php?page=1[XSS-code]  
http://localhost/catalog/admin/manufacturers.php?page=1[XSS-code]  
http://localhost/catalog/admin/newsletters.php?page=1[XSS-code]  
http://localhost/catalog/admin/orders_status.php?page=1[XSS-code]  
http://localhost/catalog/admin/products_attributes.php?page=1[XSS-code]  
http://localhost/catalog/admin/products_expected.php?page=1[XSS-code]  
http://localhost/catalog/admin/reviews.php?page=1[XSS-code]  
http://localhost/catalog/admin/specials.php?page=1[XSS-code]  
http://localhost/catalog/admin/stats_products_purchased.php?page=1[XSS-code]  
http://localhost/catalog/admin/stats_products_viewed.php?page=1[XSS-code]  
http://localhost/catalog/admin/tax_classes.php?page=1[XSS-code]  
http://localhost/catalog/admin/tax_rates.php?page=1[XSS-code]  
http://localhost/catalog/admin/zones.php?page=1[XSS-code]  
  
this is a simple evil url but we can do some moore elaborate url  
in conjuncion with other archives not vulnerables... like this:  
  
http://localhost/catalog/admin/categories.php?action=new_product_preview  
&read=only&pID=12&origin=stats_products_viewed.php?page=2[XSS-code]  
  
######################## €nd #####################  
  
Thnx to Estrella to be my ligth.  
  
--   
atentamente:  
Lostmon ([email protected])  
Web-Blog: http://lostmon.blogspot.com/  
--  
La curiosidad es lo que hace mover la mente....  
`