osCommerce Cross Site Scripting
Vendor: osCommerce
Product: osCommerce
Version: <= 2.2-MS2
Website: http://www.oscommerce.com/
BID: 9238
Description:
osCommerce is an online shop e-commerce solution under on going development by the open source community. Its feature packed out-of-the-box installation allows store owners to setup, run, and maintain their online stores with minimum effort and with absolutely no costs or license fees involved.

Problem:
osCommerce is vulnerable to a XSS flaw. The flaw can be exploited when a malicious user passes a malformed session ID to URI. Below is an example of the flaw.

https://path/?osCsid="><iframe src=http://www.gulftech.org></iframe>

This condition seems to affect only secure https connections, but was confirmed by the developers to affect regular http connections in the current CVS version of osCommerce.

Solution:
This is the response from the developer.

To fix the issue, the $_sid parameter needs to be wrapped around tep_output_string() in the tep_href_link() function defined in includes/functions/html_output.php.

Before:
if (isset($_sid)) { $link .= $separator . $_sid; }

After:
if (isset($_sid)) { $link .= $separator . tep_output_string($_sid); }

osCommerce 2.2 Milestone 3 will redirect the user to the index page when a malformed session ID is used, so that a new session ID can be generated.

Credits:
James Bercegay of the GulfTech Security Research Team.