RE: osCommere HTTP Response Splitting (Solution)
After searching in vain, I couldn't find a solution to this at
oscommerce.com or through google, so I fixed it myself. Make the following
fix to tep_redirect() in /catalog/includes/functions/general.php:
function tep_redirect($url) {
if ( (ENABLE_SSL == true) && (getenv('HTTPS') == 'on') ) {
if (substr($url, 0, strlen(HTTP_SERVER)) == HTTP_SERVER) {
$url = HTTPS_SERVER . substr($url, strlen(HTTP_SERVER));
}
}
// FIX for HTTP splitting vuln
// See http://www.gulftech.org/?node=research&article_id=00080-06102005
$url = eregi_replace("[\r\n]+(.*)$", "", $url);
// END fix
header('Location: ' . $url);
tep_exit();
}
More info here:
http://musingsofharry.blogspot.com/2005/06/oscommerce-http-splitting.html.
I've tested this against the p-o-c and it seems to work fine. Feedback
welcome.
Harry
-----Original Message-----
From: Amit Klein (AKsecurity) [mailto:aksecurity@xxxxxxxxxx]
Sent: 10 June 2005 21:02
To: BugTraq; OSVDB; Secunia Research; GulfTech Security Research
Subject: Re: osCommere HTTP Response Splitting
Just verifying: this is a different instance of HTTP Response Splitting than
the one
reported (in the osCommerce CVS) by weirdan on November 20th, 2004 ??
http://www.oscommerce.com/community/bugs,2235
-Amit
On 10 Jun 2005 at 12:22, GulfTech Security Research wrote:
> ##########################################################
> # GulfTech Security Research June 10th, 2005
> ##########################################################
> # Vendor : osCommerce
> # URL : http://www.oscommerce.com/
> # Version : osCommerce 2.2 Milestone 2 && Earlier
> # Risk : HTTP Response Splitting
> ##########################################################
>
>
>
> Description:
> osCommerce is a very popular eCommerce application that allows for
> individuals to host their own online shop. All current versions of
> osCommerce are vulnerable to HTTP Response Splitting. These HTTP
> Response Splitting vulnerabilities may allow for an attacker to
> steal sensitive user information, or cause temporary web site
> defacement. The suggested fix for this issue is to make sure that
> CRLF sequences are not passed to the application.
>
>
>
> HTTP Response Splitting:
> osCommerce is vulnerable to HTTP Response Splitting. The problem lies
> in includes/application_top.php Here is some of the vulnerable code.
>
> // performed by the 'buy now' button in product listings and review page
> case 'buy_now' :
> if (isset($HTTP_GET_VARS['products_id'])) {
> if (tep_has_product_attributes($HTTP_GET_VARS['products_id'])) {
> tep_redirect(tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' .
> $HTTP_GET_VARS['products_id']));
> } else {
> $cart->add_cart($HTTP_GET_VARS['products_id'],
> $cart->get_quantity($HTTP_GET_VARS['products_id'])+1);
> }
> }
> tep_redirect(tep_href_link($goto, tep_get_all_get_params($parameters)));
> break;
>
> In the tep_has_product_attributes() function the products_id variable is
> typecast to an integer, and used in a query, so any malicious input
> must be appended to a valid product id. Also, the product must have
> attributes (product id 22 in the default install does).
>
> /index.php?action=buy_now&products_id=22%0d%0atest:%20poison%20headers!
>
> As we can see from the above example, the returned headers include out
> "test" parameter. The same logic behind this vulnerability also applies
> to the "cust_order" parameter.
>
> /index.php?action=cust_order&pid=2%0d%0atest:%20poison%20headers!
>
> The only difference here is that the user must be logged in for this
> particular example will work. Also vulnerable is the banner.php script.
> When calling the script with the action parameter set to "url" an
> attacker may include malicious data in the "goto" parameter.
>
>
>
>
> Solution:
> This was submitted to the osCommerce bugtracker several weeks ago. No
> fix has been released as of today. Users may edit the source code to
> prevent CRLF sequences from being passed to the application.
>
>
>
> Related Info:
> The original advisory can be found at the following location
> http://www.gulftech.org/?node=research&article_id=00080-06102005
>
>
>
> Credits:
> James Bercegay of the GulfTech Security Research Team