RE: osCommere HTTP Response Splitting (Solution)

["Harry Metcalfe" <harry () slaptop com>]

After searching in vain, I couldn't find a solution to this at
oscommerce.com or through google, so I fixed it myself. Make the following
fix to tep_redirect() in /catalog/includes/functions/general.php:

function tep_redirect($url) {
 if ( (ENABLE_SSL == true) && (getenv('HTTPS') == 'on') ) { 
  if (substr($url, 0, strlen(HTTP_SERVER)) == HTTP_SERVER) { 
    $url = HTTPS_SERVER . substr($url, strlen(HTTP_SERVER)); 
  }
 }

 // FIX for HTTP splitting vuln 
 // See http://www.gulftech.org/?node=research&article_id=00080-06102005
 
 $url = eregi_replace("[\r\n]+(.*)$", "", $url);
 
 // END fix
 
 header('Location: ' . $url);
 
 tep_exit();
}

More info here:
http://musingsofharry.blogspot.com/2005/06/oscommerce-http-splitting.html.
I've tested this against the p-o-c and it seems to work fine. Feedback
welcome.

Harry



-----Original Message-----
From: Amit Klein (AKsecurity) [mailto:aksecurity () hotpop com] 
Sent: 10 June 2005 21:02
To: BugTraq; OSVDB; Secunia Research; GulfTech Security Research
Subject: Re: osCommere HTTP Response Splitting

Just verifying: this is a different instance of HTTP Response Splitting than
the one 
reported (in the osCommerce CVS) by weirdan on November 20th, 2004 ??

http://www.oscommerce.com/community/bugs,2235

-Amit


On 10 Jun 2005 at 12:22, GulfTech Security Research wrote:

> ##########################################################
> # GulfTech Security Research           June 10th, 2005
> ##########################################################
> # Vendor  : osCommerce
> # URL     : http://www.oscommerce.com/
> # Version : osCommerce 2.2 Milestone 2 && Earlier
> # Risk    : HTTP Response Splitting
> ##########################################################
>
>
>
> Description:
> osCommerce is a very popular eCommerce application that allows for
> individuals to host their own online shop. All current versions of
> osCommerce are vulnerable to HTTP Response Splitting. These HTTP
> Response Splitting vulnerabilities may allow for an attacker to
> steal sensitive user information, or cause temporary web site
> defacement. The suggested fix for this issue is to make sure that
> CRLF sequences are not passed to the application.
>
>
>
> HTTP Response Splitting:
> osCommerce is vulnerable to HTTP Response Splitting. The problem lies
> in includes/application_top.php Here is some of the vulnerable code.
>
> // performed by the 'buy now' button in product listings and review page
> case 'buy_now' :       
> if (isset($HTTP_GET_VARS['products_id'])) {
>   if (tep_has_product_attributes($HTTP_GET_VARS['products_id'])) {
>     tep_redirect(tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . 
> $HTTP_GET_VARS['products_id']));
>   } else {
>     $cart->add_cart($HTTP_GET_VARS['products_id'], 
> $cart->get_quantity($HTTP_GET_VARS['products_id'])+1);
>   }
> }
> tep_redirect(tep_href_link($goto, tep_get_all_get_params($parameters)));
> break;
>
> In the tep_has_product_attributes() function the products_id variable is
> typecast to an integer, and used in a query, so any malicious input
> must be appended to a valid product id. Also, the product must have
> attributes (product id 22 in the default install does).
>
> /index.php?action=buy_now&products_id=22%0d%0atest:%20poison%20headers!
>
> As we can see from the above example, the returned headers include out
> "test" parameter. The same logic behind this vulnerability also applies
> to the "cust_order" parameter.
>
> /index.php?action=cust_order&pid=2%0d%0atest:%20poison%20headers!
>
> The only difference here is that the user must be logged in for this
> particular example will work. Also vulnerable is the banner.php script.
> When calling the script with the action parameter set to "url" an
> attacker may include malicious data in the "goto" parameter.
>
>
>
>
> Solution:
> This was submitted to the osCommerce bugtracker several weeks ago. No
> fix has been released as of today. Users may edit the source code to
> prevent CRLF sequences from being passed to the application.
>
>
>
> Related Info:
> The original advisory can be found at the following location
> http://www.gulftech.org/?node=research&article_id=00080-06102005
>
>
>
> Credits:
> James Bercegay of the GulfTech Security Research Team