[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: osCommere HTTP Response Splitting



Just verifying: this is a different instance of HTTP Response Splitting than 
the one 
reported (in the osCommerce CVS) by weirdan on November 20th, 2004 ??

http://www.oscommerce.com/community/bugs,2235

-Amit


On 10 Jun 2005 at 12:22, GulfTech Security Research wrote:

> ##########################################################
> # GulfTech Security Research           June 10th, 2005
> ##########################################################
> # Vendor  : osCommerce
> # URL     : http://www.oscommerce.com/
> # Version : osCommerce 2.2 Milestone 2 && Earlier
> # Risk    : HTTP Response Splitting
> ##########################################################
> 
> 
> 
> Description:
> osCommerce is a very popular eCommerce application that allows for
> individuals to host their own online shop. All current versions of
> osCommerce are vulnerable to HTTP Response Splitting. These HTTP
> Response Splitting vulnerabilities may allow for an attacker to
> steal sensitive user information, or cause temporary web site
> defacement. The suggested fix for this issue is to make sure that
> CRLF sequences are not passed to the application.
> 
> 
> 
> HTTP Response Splitting:
> osCommerce is vulnerable to HTTP Response Splitting. The problem lies
> in includes/application_top.php Here is some of the vulnerable code.
> 
> // performed by the 'buy now' button in product listings and review page
> case 'buy_now' :       
> if (isset($HTTP_GET_VARS['products_id'])) {
>   if (tep_has_product_attributes($HTTP_GET_VARS['products_id'])) {
>     tep_redirect(tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . 
> $HTTP_GET_VARS['products_id']));
>   } else {
>     $cart->add_cart($HTTP_GET_VARS['products_id'], 
> $cart->get_quantity($HTTP_GET_VARS['products_id'])+1);
>   }
> }
> tep_redirect(tep_href_link($goto, tep_get_all_get_params($parameters)));
> break;
> 
> In the tep_has_product_attributes() function the products_id variable is
> typecast to an integer, and used in a query, so any malicious input
> must be appended to a valid product id. Also, the product must have
> attributes (product id 22 in the default install does).
> 
> /index.php?action=buy_now&products_id=22%0d%0atest:%20poison%20headers!
> 
> As we can see from the above example, the returned headers include out
> "test" parameter. The same logic behind this vulnerability also applies
> to the "cust_order" parameter.
> 
> /index.php?action=cust_order&pid=2%0d%0atest:%20poison%20headers!
> 
> The only difference here is that the user must be logged in for this
> particular example will work. Also vulnerable is the banner.php script.
> When calling the script with the action parameter set to "url" an
> attacker may include malicious data in the "goto" parameter.
> 
> 
> 
> 
> Solution:
> This was submitted to the osCommerce bugtracker several weeks ago. No
> fix has been released as of today. Users may edit the source code to
> prevent CRLF sequences from being passed to the application.
> 
> 
> 
> Related Info:
> The original advisory can be found at the following location
> http://www.gulftech.org/?node=research&article_id=00080-06102005
> 
> 
> 
> Credits:
> James Bercegay of the GulfTech Security Research Team