Re: osCommere HTTP Response Splitting
Just verifying: this is a different instance of HTTP Response Splitting than
the one
reported (in the osCommerce CVS) by weirdan on November 20th, 2004 ??
http://www.oscommerce.com/community/bugs,2235
-Amit
On 10 Jun 2005 at 12:22, GulfTech Security Research wrote:
> ##########################################################
> # GulfTech Security Research June 10th, 2005
> ##########################################################
> # Vendor : osCommerce
> # URL : http://www.oscommerce.com/
> # Version : osCommerce 2.2 Milestone 2 && Earlier
> # Risk : HTTP Response Splitting
> ##########################################################
>
>
>
> Description:
> osCommerce is a very popular eCommerce application that allows for
> individuals to host their own online shop. All current versions of
> osCommerce are vulnerable to HTTP Response Splitting. These HTTP
> Response Splitting vulnerabilities may allow for an attacker to
> steal sensitive user information, or cause temporary web site
> defacement. The suggested fix for this issue is to make sure that
> CRLF sequences are not passed to the application.
>
>
>
> HTTP Response Splitting:
> osCommerce is vulnerable to HTTP Response Splitting. The problem lies
> in includes/application_top.php Here is some of the vulnerable code.
>
> // performed by the 'buy now' button in product listings and review page
> case 'buy_now' :
> if (isset($HTTP_GET_VARS['products_id'])) {
> if (tep_has_product_attributes($HTTP_GET_VARS['products_id'])) {
> tep_redirect(tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' .
> $HTTP_GET_VARS['products_id']));
> } else {
> $cart->add_cart($HTTP_GET_VARS['products_id'],
> $cart->get_quantity($HTTP_GET_VARS['products_id'])+1);
> }
> }
> tep_redirect(tep_href_link($goto, tep_get_all_get_params($parameters)));
> break;
>
> In the tep_has_product_attributes() function the products_id variable is
> typecast to an integer, and used in a query, so any malicious input
> must be appended to a valid product id. Also, the product must have
> attributes (product id 22 in the default install does).
>
> /index.php?action=buy_now&products_id=22%0d%0atest:%20poison%20headers!
>
> As we can see from the above example, the returned headers include out
> "test" parameter. The same logic behind this vulnerability also applies
> to the "cust_order" parameter.
>
> /index.php?action=cust_order&pid=2%0d%0atest:%20poison%20headers!
>
> The only difference here is that the user must be logged in for this
> particular example will work. Also vulnerable is the banner.php script.
> When calling the script with the action parameter set to "url" an
> attacker may include malicious data in the "goto" parameter.
>
>
>
>
> Solution:
> This was submitted to the osCommerce bugtracker several weeks ago. No
> fix has been released as of today. Users may edit the source code to
> prevent CRLF sequences from being passed to the application.
>
>
>
> Related Info:
> The original advisory can be found at the following location
> http://www.gulftech.org/?node=research&article_id=00080-06102005
>
>
>
> Credits:
> James Bercegay of the GulfTech Security Research Team