###############################################
osCommerce multiple Scripts 'page' param XSS
Vendor url: https://www.oscommerce.com
Vendor Bugtracker:https://www.oscommerce.com/community/bugs,4303
Advisore: https://lostmon.blogspot.com/2006/10/
oscommerce-multiple-scripts-page-param.html
Vendor notify:yes
###############################################


osCommerce contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does
not validate 'page' param upon submission to multiple scripts
in /admin folder.This could allow a user to create a specially
crafted URL that would execute arbitrary code in a user's browser
within the trust relationship between the browser and the server,
leading to a loss of integrity.

The same situation is done in 'admin/geo_zones.php' but with
param 'zpage'.



####################
vERSIONS
####################

osCommerce 2.2 Milestone 2 Update 060817

####################
SOLUTION
####################

no solution was available at this time.


#######################
VULNERABLE CODE
#######################

Arround  the line 30 in banner_manager.php we


tep_redirect(tep_href_link(FILENAME_BANNER_MANAGER,
 'page=' . $HTTP_GET_VARS['page'] . '&bID=' .
 $HTTP_GET_VARS['bID']));



the page param is called directly , not sanitize.
arround line 115 we have a similar situation ,
we GET page param without sanitice in any GET request.

In all of scripts vulnerables, we have the same situation,
but with diferent code

####################
scripts vulnerables
####################

admin/banner_manager.php
admin/banner_statistics.php
admin/countries.php
admin/currencies.php
admin/languages.php
admin/manufacturers.php
admin/newsletters.php
admin/orders_status.php
admin/products_attributes.php
admin/products_expected.php
admin/reviews.php
admin/specials.php
admin/stats_products_purchased.php
admin/stats_products_viewed.php
admin/tax_classes.php
admin/tax_rates.php
admin/zones.php

####################
Timeline
####################

Discovered: 27-09-2006
Vendor notify:03-10-2006
Vendor response:------
Vendor fix:--------
Disclosure: 03-10-2006 (vendor Bugtracker)
Public disclosure:04-10-2006

####################
EXAMPLES
####################

https://localhost/catalog/admin/banner_manager.php?page=1[XSS-code]
https://localhost/catalog/admin/banner_statistics.php?page=1[XSS-code]
https://localhost/catalog/admin/countries.php?page=1[XSS-code]
https://localhost/catalog/admin/currencies.php?page=1[XSS-code]
https://localhost/catalog/admin/languages.php?page=1[XSS-code]
https://localhost/catalog/admin/manufacturers.php?page=1[XSS-code]
https://localhost/catalog/admin/newsletters.php?page=1[XSS-code]
https://localhost/catalog/admin/orders_status.php?page=1[XSS-code]
https://localhost/catalog/admin/products_attributes.php?page=1[XSS-code]
https://localhost/catalog/admin/products_expected.php?page=1[XSS-code]
https://localhost/catalog/admin/reviews.php?page=1[XSS-code]
https://localhost/catalog/admin/specials.php?page=1[XSS-code]
https://localhost/catalog/admin/stats_products_purchased.php?page=1[XSS-code]
https://localhost/catalog/admin/stats_products_viewed.php?page=1[XSS-code]
https://localhost/catalog/admin/tax_classes.php?page=1[XSS-code]
https://localhost/catalog/admin/tax_rates.php?page=1[XSS-code]
https://localhost/catalog/admin/zones.php?page=1[XSS-code]

this is a simple evil url but we can do some moore elaborate url
in conjuncion with other archives not vulnerables... like this:

https://localhost/catalog/admin/categories.php?action=new_product_preview
&read=only&pID=12&origin=stats_products_viewed.php?page=2[XSS-code]

######################## €nd #####################

Thnx to Estrella to be my ligth.

-- 
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: https://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....