Vendor : osCommerce URL : http://www.oscommerce.com Version : All Current Versions Risk : Cross Site Scripting Description: osCommerce is an online shop e-commerce solution under on going development by the open source community. Its feature packed out-of-the-box installation allows store owners to setup, run, and maintain their online stores with minimum effort and with absolutely no costs or license fees involved. Problem: osCommerce is vulnerable to a XSS flaw. The flaw can be exploited when a malicious user passes a malformed session ID to URI. Below is an example of the flaw. https://path/?osCsid=";><iframe src=http://www.gulftech.org></iframe> This condition seems to affect only secure https connections, but was convirmed by the developers to affect regular http connections in the current CVS version of osCommerce. Solution: This is the response from the developer. To fix the issue, the $_sid parameter needs to be wrapped around tep_output_string() in the tep_href_link() function defined in includes/functions/html_output.php. Before: if (isset($_sid)) { $link .= $separator . $_sid; } After: if (isset($_sid)) { $link .= $separator . tep_output_string($_sid); } osCommerce 2.2 Milestone 3 will redirect the user to the index page when a malformed session ID is used, so that a new session ID can be generated. Credits: Credits go to JeiAr of the GulfTech Security Research Team. http://www.gulftech.org
