osCommerce and osCMax shopping cart software forums

Shopping Cart Software

osCommerce with teeth!

 

Customer Testimonials v1.0

This is a discussion on Customer Testimonials v1.0 within the New osCommerce Contributions forums, part of the osCommerce 2.2 Forums category; Thanks to Haydens post in forum at http://forums.oscommerce.com/index.php?showtopic=230089 , there is security risk to using this mod. Anyone could effectively ...


Go Back   osCommerce and osCMax shopping cart software forums > osCommerce 2.2 Forums > New osCommerce Contributions

Customer Testimonials v1.0 Customer Testimonials v1.0

Register FAQ Members List Calendar Mark Forums Read


Free community membership! Fast easy FREE membership
Reply

 

LinkBack Thread Tools
  #1  
Old 05-10-2007, 06:22 AM
michael_s's Avatar
osCMax Developer

  
Join Date: Jul 2002
Location: Phoenix, AZ
Posts: 10,287
Thanks: 66
Thanked 309 Times in 294 Posts
Rep Power: 10
michael_s has a reputation beyond reputemichael_s has a reputation beyond reputemichael_s has a reputation beyond reputemichael_s has a reputation beyond reputemichael_s has a reputation beyond reputemichael_s has a reputation beyond reputemichael_s has a reputation beyond reputemichael_s has a reputation beyond reputemichael_s has a reputation beyond reputemichael_s has a reputation beyond reputemichael_s has a reputation beyond repute
Post Customer Testimonials v1.0
Thanks to Haydens post in forum at http://forums.oscommerce.com/index.php?showtopic=230089, there is security risk to using this mod. Anyone could effectively issue a script command and control your server or site?...

Avoid this until a patch is issued.
Vulnerability found.
I have modded my Testamonials contrib to only use the customers name and message, no other details are taken, so I'm not sure what other fields are vulnerable.

I've found that the following code, entered as the customers name, shows a messagebox within the admin page. If entered as the testamonial body, it causes the 'delete', 'edit' and 'add new' buttons not to be shown on the admin page, effectively causing a DOS. I had to log into Phpmyadmin to remove from the customer_testamonials table.

alert(123);

Also, This line entered as the testamonial body causes the same DOS affect, but luckily does not seem to include the specified file:



Therefore I propose that all fields entered by the customer are screened for such exploit attempts.


More...
__________________
Michael Sasek
osCMax Developer

osCMax Templates - Hundreds of premium quality templates. New designs every month!

xShop for osCMax - Windows Based osCMax administration. Improved workflow, security, speed and convenience

osCMax Hosting - From basic hosting to High Availability, Load Balanced arrays, the most experienced osCMax host.

Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
Reply

« *TinyMCE WYSIWYG HTML EDITOR | *TinyMCE WYSIWYG HTML EDITOR »
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On

Similar Threads

Thread Thread Starter Forum Replies Last Post
Customer Testimonials v1.0 michael_s New osCommerce Contributions 0 04-27-2007 11:39 PM
Customer Testimonials v1.0 michael_s New osCommerce Contributions 0 03-17-2007 07:00 AM
Customer Updates - Customer Comments v1.0 michael_s New osCommerce Contributions 0 02-16-2007 08:02 AM
Having trouble after installing customer testimonials contri abarnes osCommerce 2.2 Modification Help 4 11-21-2006 04:22 PM
Customer Testimonials Bsnrjones osCMax v1.7 General Mods Discussion 3 03-11-2004 03:02 AM


All times are GMT -8. The time now is 04:17 PM.

osCMax Home - Site Map - Top

Powered by vBulletin®
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
SEO by vBSEO
http://www.oscmax.com/forums/
Copyright 2008 osCMax