HTML Injection, XSS and Patch File disclosure 
in osCommerce Online Merchant v2.2 RC2a/RC1 (mayber others)

by David Sopas Ferreira 
<smok3f00 at gmail.com>
<www.davidsopas.com>

Found and reported at 	: 1-05-2008PT
Full disclosure at	: 5-05-2008PT 	


?!---------------------------------------------------------
  XSS and HTML Injection
  ----------------------!?

On this great opensource PHP program, I found some minor 
flaws. I mean minor, because they need admin access to be
executed, but still they can be used to grab other admins
access or something like that.

The problem exists on the following files:

- manufacturers.php
- zones.php
- categories.php
- products_attributes.php
- administrators.php

A user could insert some HTML or Javascript malicious
code on the input text fields and that would be executed
when admin reads that webpage.

Also I found some XSS on these files:

- categories.php
- orders.php

Example: categories.php?cPath=1_4&pID=1%22%3E%3Cscript%3Ealert
(document.cookie)%3C/script%3E&action=new_product_preview
&read=only

categories.php?action=new_product_preview&read=only&pID=27
&origin=stats_products_viewed.php?page=1%22%3E%3Cscript%3E
alert(document.cookie)%3C/script%3E

orders.php?cID=2%22%3E%3Cscript%3Ealert(document.cookie)
%3C/script%3E

I found others but they were already found, and still to patch,
by Lostmon (lostmon@gmail.com) for the osCommerce 2.2
Milestone 2 version.


?!---------------------------------------------------------
  File disclosure
  ---------------!?

The bug found by l0om (l0om@excluded.org) is still open. 
After searching, with no success, for a patch, I coded 
a temporary one.

Overwrite line 66 of file_manager.php, case "download"

<code>
      case 'download':   
        $filename_filtered = $HTTP_GET_VARS['filename'];
        if(ereg("\.\.", $filename_filtered))
          {
          $filename_filtered = '';
          } 
        header('Content-type: application/x-octet-stream');
        header('Content-disposition: attachment; filename=' . 
	urldecode($filename_filtered));
        readfile($current_path . '/' . urldecode($filename_filtered));
        exit;
        break;
</code>


?!---------------------------------------------------------
  Final words
  -----------!?

Emailed this information to oscommerce.com and still didn't
get any reply. I didn't tested the version 3.0, but I bet
some of the XSS are still present. In my opinion that will 
not fix older versions, they must be dedicating all the time
to 3.0 versions, but they need to know that oscommerce 2.2 rc2a
and rc1 are still being used for many stores.

Want to give credits to Lostmon and l0om for the findings, 
that are still unpatched.