Issue #10: August 19, 2002
By Harald Ponce de Leon
August 19, 2002
Cross Site Scripting Vulnerabilities
Checkout And Order Security Issues
Search Engine Safe Urls
PHP3 Compatibility
Windows Date Problem Readdressed
Installation Module Updates For PHP-CGI Servers
Whos Online Logic Update
File Upload Standards
Cross Site Scripting Vulnerabilities
Tamura Toshihiko informed the developers forum of cross site scripting vulnerabilities existing in the 2.2-CVS codebase.
The posting can be read at:
https://www.oscommerce.com/community.php/forum,2/action,read/i,16332/t,16332
Fixes to the problem areas have been commited, but we are still working on a complete solution by validating user input.
Mattice has submitted a global fix which can be used on live stores, which can be read at:
https://www.oscommerce.com/community.php/forum,2/action,read/i,16432/t,16432
Checkout And Order Security Issues
Geoff Ford forwarded issues concerning the checkout procedure and how orders are made. It is possible for a customer to bypass the checkout procedure and head straight to the processing logic creating false orders.
This issue is most serious to those offering downloadable products that may be active to the customer as soon as an order has been falsely made.
A fix to the problem has been commited which can be seen here:
https://marc.theaimsgroup.com/?l=tep-commits&m=102975528416119&w=2
Search Engine Safe Urls
The logic to the Search Engine Safe Urls feature has been updated to properly parse all GET parameters, including the session ID where necessary.
This update may cause robots to cycle in a live store - we are currently discussing possible solutions to overcome this issue.
One nice solution mentioned is to start the session only when it is needed, for example when adding a product to the cart, and when a customer logs in or creates an account.
PHP3 Compatibility
Updates to the code logic have been made to bring back PHP3 compatibility. The estimated minimum for PHP3 versions is 3.0.7 - tests on bringing back the PHP3 compatibility were done on 3.0.11, the earliest version found for Windows servers.
Windows Date Problem Readdressed
Michael Burke has forwarded an update to the logic used for parsing dates prior 1970 on Windows based servers.
Dates prior 1970 should now be displayed correctly.
Installation Module Updates For PHP-CGI Servers
The installation module has been updated to allow for easier installation with servers that have PHP setup as CGI.
If you encounter any problems with the provided default path parameters during the installation procedure, please forward relevant information to the developers forum.
Whos Online Logic Update
The logic to the whos online feature has been updated to use only the necessary session variables from the customer on the catalog side.
Previously if the customer was viewing the store in a foreign language, selecting their entry on the Whos Online feature would use that language variable on the Administration Tool itself.
The logic calculating the customers shopping cart total has also been updated to calculate the right tax amount if display_price_with_tax is enabled. The [sub]total price shown is the exact price shown to the customer in their shopping cart box.
File Upload Standards
A new standard has been defined to handle file upload processing - which is compatible with all PHP versions, taking advantage of the features available of the PHP version in use.
The API documentation for this standard will soon be added to the CVS repository.