Just verifying: this is a different instance of HTTP Response Splitting than the one reported (in the osCommerce CVS) by weirdan on November 20th, 2004 ?? http://www.oscommerce.com/community/bugs,2235 -Amit On 10 Jun 2005 at 12:22, GulfTech Security Research wrote: > ########################################################## > # GulfTech Security Research June 10th, 2005 > ########################################################## > # Vendor : osCommerce > # URL : http://www.oscommerce.com/ > # Version : osCommerce 2.2 Milestone 2 && Earlier > # Risk : HTTP Response Splitting > ########################################################## > > > > Description: > osCommerce is a very popular eCommerce application that allows for > individuals to host their own online shop. All current versions of > osCommerce are vulnerable to HTTP Response Splitting. These HTTP > Response Splitting vulnerabilities may allow for an attacker to > steal sensitive user information, or cause temporary web site > defacement. The suggested fix for this issue is to make sure that > CRLF sequences are not passed to the application. > > > > HTTP Response Splitting: > osCommerce is vulnerable to HTTP Response Splitting. The problem lies > in includes/application_top.php Here is some of the vulnerable code. > > // performed by the 'buy now' button in product listings and review page > case 'buy_now' : > if (isset($HTTP_GET_VARS['products_id'])) { > if (tep_has_product_attributes($HTTP_GET_VARS['products_id'])) { > tep_redirect(tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . > $HTTP_GET_VARS['products_id'])); > } else { > $cart->add_cart($HTTP_GET_VARS['products_id'], > $cart->get_quantity($HTTP_GET_VARS['products_id'])+1); > } > } > tep_redirect(tep_href_link($goto, tep_get_all_get_params($parameters))); > break; > > In the tep_has_product_attributes() function the products_id variable is > typecast to an integer, and used in a query, so any malicious input > must be appended to a valid product id. Also, the product must have > attributes (product id 22 in the default install does). > > /index.php?action=buy_now&products_id=22%0d%0atest:%20poison%20headers! > > As we can see from the above example, the returned headers include out > "test" parameter. The same logic behind this vulnerability also applies > to the "cust_order" parameter. > > /index.php?action=cust_order&pid=2%0d%0atest:%20poison%20headers! > > The only difference here is that the user must be logged in for this > particular example will work. Also vulnerable is the banner.php script. > When calling the script with the action parameter set to "url" an > attacker may include malicious data in the "goto" parameter. > > > > > Solution: > This was submitted to the osCommerce bugtracker several weeks ago. No > fix has been released as of today. Users may edit the source code to > prevent CRLF sequences from being passed to the application. > > > > Related Info: > The original advisory can be found at the following location > http://www.gulftech.org/?node=research&article_id=00080-06102005 > > > > Credits: > James Bercegay of the GulfTech Security Research Team
