osCommerce Multiple Vulnerabilities
Vendor: osCommerce
Product: osCommerce
Version: <= 2.2-MS2 060817
Website: http://www.oscommerce.com/
BID: 19644 19774
CVE: CVE-2006-4297 CVE-2006-4298
OSVDB: 29508 29509
SECUNIA: 15670
Description:
osCommerce is one of the most popular open source ecommerce web applications ever written. osCommerce allows webmasters to open a fully functioning online marketplace with little effort. Unfortunately there have been several new vulnerabilities discovered in the latest versions of osCommerce. These issues may allow for an attacker to gather arbitrary information from the database such as credit card information, user login information, or personal information. There are also issues with some of osCommerce's file handling functionality that may allow an attacker to gain access to sensitive data. The osCommerce team have released updates to address these vulnerabilities and all users are encouraged to upgrade their osCommerce installations as soon as possible.


SQL injection:
All versions of osCommerce suffer from a high risk SQL Injection vulnerability that allows for an attacker to select any data that they wish from the database such as credit card numbers, personal information, or password hashes. The sql injection itself takes place in shopping_cart.php at lines 80 - 98
while (list($option, $value) = each($products[$i]['attributes'])) {
  echo tep_draw_hidden_field('id[' . $products[$i]['id'] . '][' . $option . ']', $value);
  $attributes = tep_db_query("select popt.products_options_name, poval.products_options_values_name, 
  							  pa.options_values_price, pa.price_prefix
                              from " . TABLE_PRODUCTS_OPTIONS . " popt, " . TABLE_PRODUCTS_OPTIONS_VALUES 
							  . " poval, " . TABLE_PRODUCTS_ATTRIBUTES . " pa
                              where pa.products_id = '" . $products[$i]['id'] . "'
                               and pa.options_id = '" . $option . "'
                               and pa.options_id = popt.products_options_id
                               and pa.options_values_id = '" . $value . "'
                               and pa.options_values_id = poval.products_options_values_id
                               and popt.language_id = '" . $languages_id . "'
                               and poval.language_id = '" . $languages_id . "'");
  $attributes_values = tep_db_fetch_array($attributes);

  $products[$i][$option]['products_options_name'] = $attributes_values['products_options_name'];
  $products[$i][$option]['options_values_id'] = $value;
  $products[$i][$option]['products_options_values_name'] = $attributes_values['products_options_values_name'];
  $products[$i][$option]['options_values_price'] = $attributes_values['options_values_price'];
  $products[$i][$option]['price_prefix'] = $attributes_values['price_prefix'];
}

The variables $option and $value are taken from $this->contents in the shopping cart class via the $cart->get_products() function call at line 76 of the script shopping_cart.php. Unfortunately these shppoing cart values are taken from session data that is not properly escaped and can be controlled by an attacker via the id[] array when adding a product to the cart. The reason the values are not properly escaped is due to osCommerce's magic quotes gpc emulation being flawed in regards to sanitizing multi dimensional arrays.

-99' UNION SELECT null,CONCAT(customers_password,'::',customers_email_address), null,null FROM customers/*

The id[] array is used to specify extra product attributes that a shop owner may add. Shown above is an example value that could be sent via the id[] array, and when the shopping cart is viewed you will see a customers password hash and login. Even though the sql is injected when adding a product the vulnerability can not actually be exploited until the shopping cart is viewed. No special access is needed to exploit this issue other than a normal customer account.


Arbitrary File Access:
One weak point of osCommerce is the lack of traversal checks when dealing with certain filesystem functions. For example lets have a look at the following code from cache.php, specifically the tep_cache_also_purchased() function:
 if (($refresh == true) || !read_cache($cache_output, 'also_purchased-' . $language . '.cache' . 
$HTTP_GET_VARS['products_id'], $auto_expire)) {
      ob_start();
      include(DIR_WS_MODULES . FILENAME_ALSO_PURCHASED_PRODUCTS);
      $cache_output = ob_get_contents();
      ob_end_clean();
      write_cache($cache_output, 'also_purchased-' . $language . '.cache' . $HTTP_GET_VARS['products_id']);
  }

The tep_cache_also_purchased() function is not the only place where the read and write cache functions are called with gpc parameters. For example the functions tep_cache_manufacturers_box and tep_cache_categories_box are vulnerable too. Now let's have a look at some of the code from the cache functions that read and write osCommerce cache files.
////
//! Write out serialized data.
//  write_cache uses serialize() to store $var in $filename.
//  $var      -  The variable to be written out.
//  $filename -  The name of the file to write to.
  function write_cache(&$var, $filename) {
    $filename = DIR_FS_CACHE . $filename;
    $success = false;

// try to open the file
    if ($fp = @fopen($filename, 'w')) {
// obtain a file lock to stop corruptions occuring
      flock($fp, 2); // LOCK_EX
// write serialized data
      fputs($fp, serialize($var));
// release the file lock
      flock($fp, 3); // LOCK_UN
      fclose($fp);
      $success = true;
    }

    return $success;
  }

It seems that this vulnerability is only useful for enumerating the existance of files on the system, but it also discloses the full path to a writeable directory which could come in handy to an attacker.


Solution:
Harald ponce De Leon was very prompt and professional in addressing these issues in a timely manner.

http://forums.oscommerce.com/index.php?showtopic=223556&pid=918371

The above link contains all relative upgrade information for osCommerce users. users are strongly advised to upgrade their installations as soon as possible.


Credits:
James Bercegay of the GulfTech Security Research Team