osCommerce is "an online shop e-commerce solution under on going development by the open source community. Its feature packed out-of-the-box installation allows store owners to setup, run, and maintain their online stores with minimum effort and with absolutely no costs or license fees involved".
A cross-site scripting vulnerability in the product allows remote attackers to inject arbitrary HTML and/or JavaScript into the content returned by the web site using the product.
Credit:
The information has been provided by JeiAr.
Vulnerable systems:
* osCommerce version 2.2 Milestone 2 and prior
Immune systems:
* osCommerce version 2.2 Milestone 3
Problem:
osCommerce is vulnerable to a XSS flaw. The flaw can be exploited when a malicious user passes a malformed session ID to URI. The following is an example of the flaw: https://path/?osCsid="><iframe src=http://www.gulftech.org></iframe>.
Solution:
This is the response from the developer. To fix the issue, the $_sid parameter needs to be wrapped around tep_output_string() in the tep_href_link() function defined in includes/functions/html_output.php.
Before: if (isset($_sid)) {
$link .= $separator . $_sid;
}
After: if (isset($_sid)) {
$link .= $separator . tep_output_string($_sid);
}
osCommerce 2.2 Milestone 3 will redirect the user to the index page when a malformed session ID is used, so that a new session ID can be generated.
